Skip to content
LegalVision

How to Avoid Preventable Data Breaches

Jacqueline Gibson

By Jacqueline Gibson
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

[lmt-post-modified-info]

Since the Notifiable Data Breaches (NDB) scheme came into effect in February 2018, the Office of the Australian Information Commissioner (OAIC) has produced regular reports on the type of notifiable breaches. The OAIC report spanning July 2018 to September 2018 found that human error is responsible for one-third of data breaches. While criminal attacks still cause many data breaches, businesses must ensure they can take practical steps to secure their data. This article will explain how your business can avoid preventable data breaches caused by human error or criminal attacks.

Background: How Does the NDB Scheme Work?

The NDB scheme only applies to businesses who must meet obligations under the Privacy Act. These usually include businesses who have an annual turnover of $3 million or more. If your business is a subsidiary of a holding company that has $3 million or more in turnover, your business will have to comply with the NDB scheme.

Some businesses with a lower turnover may also qualify if they are:

  • private health sector providers;
  • businesses running a residential tenancy database;
  • businesses that opt into Privacy Act; or
  • credit providers. 

If your business does not have to comply with the NDB scheme, you do not have to report data breaches to the OAIC. However, you should still minimise the risk of any data breaches as customers may lose confidence in your business for failing to secure their data. 

You only have to report data breaches if they can be classified as notifiable data breaches (NDBs). A NDB is a breach of personal data that leads to a likely risk of serious harm to an affected individual.

For example, a breach of personal data includes a hacker attacking your business’ computer systems and stealing the personal contact details of your customers.

If a breach occurs and you find there is a likely risk of serious harm to the affected individual, you need to notify the OAIC as well as anyone who is affected by the breach.

What Did the Notifiable Data Breaches Report Find?

Snapshot

From July 2018 to September 2018:

  • there were 245 notifications;
  • 63% of data breaches affected the personal information of 100 individuals or fewer; and 
  • there were two data breaches that affected 100-250,000 people.

Note: These numbers only cover notifiable breaches. They do not include breaches that may have occurred but do not require reporting or have not been reported to the OAIC. 

Data Breach Cause

NDBs were generally caused by:

  • human error (37%); and
  • malicious or criminal attacks (57%). 

Human error includes activities such as:

  • sending emails to the wrong recipient;
  • accidental use of the Carbon Copy (CC) function instead of the Blind Carbon Copy (BCC) function when sending group emails;
  • accidental publication of personal information;
  • insecure disposal of personal information such as in a public bin; and
  • losing a laptop with accessible customer personal information on it.  

Malicious or criminal attacks include:

  • ransomware;
  • hacking;
  • malware;
  • staff members opening phishing emails; and
  • theft of documents or storage devices such as USBs containing personal details. 

Personal Data

Personal data lost to data breaches include:

  • contact information, such as personal address, mobile phone or email (85%);
  • financial information, such as credit card details and bank card information (45%); and
  • identity information, which covers documents such as a driver’s licence, passport number, health information and tax file numbers (35%).

Top Five Industries Affected

The top five industries affected by notifiable data breaches include:

  1. health services providers;
  2. finance industry;
  3. legal accounting and management services;
  4. education sector; and
  5. personal services industry.
Continue reading this article below the form
Loading form

Practical Tips to Avoid Data Breaches

The data shows that many data breaches that occur are preventable. Therefore, as a business, you can:

  1. come up with technological measures to minimise the risk of a data breach; and
  2. find ways to minimise human error breaches.

Examples of technological measures include:

  • updating your cybersecurity software;
  • storing documents within secured files or using reputable hosting providers;
  • using encrypted passwords through a service like Password Manager or LastPass; and
  • implementing email delay add-ons so you can recall emails for a set time.

Examples of ways to minimise human error breaches include:

  • providing shredders and secure document disposal bins;
  • running training for staff on how to handle personal information;
  • creating a privacy manual that sets out how to handle personal information; and
  • assessing privacy risks of a new project that deals with personal data and designing the project to minimise any risks.

Why You Need a Data Breach Plan

Taking preventative measures will help minimise the chance of data breaches. Nonetheless, human error still happens and hackers always come up with creative ways to circumvent security systems.  

Therefore, you must have a comprehensive data breach response plan if a data breach does occur. Your data breach plan will outline how your business will contain and handle the breach according to privacy law.

If your business complies with the Privacy Act, your plan must include an assessment as to whether the breach is notifiable. Time is critical when a data breach occurs, so your plan must help you act quickly to notify the OAIC and affected individuals. If your business does not have to comply with the Privacy Act, you should still have a data breach plan. The plan will help you handle the problem in a professional and timely manner.

Key Takeaways

The most recent OAIC report shows that many data breaches are caused by human error or criminal attacks. Therefore, businesses need to take measures that minimise human error or better protect their data against criminal attacks. However, preventative measures are not enough. A comprehensive data breach will ensure you know how to respond to data breaches in a hurry and maintain customer confidence in your business.

If you have any questions about preventing data breaches, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What businesses must comply with the NBD scheme?

The NDB scheme only applies to businesses that must meet obligations under the Privacy Act. These usually include businesses that have an annual turnover of $3 million or more.

How can I prevent data breaches?

You can come up with technological measures to minimise the risk of a data breach. Additionally, you should find ways to minimise human error breaches.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Should I Respond to a Data Breach?

Do I Have to Nominate a Privacy Officer For My Business?

How to Protect Your Data in the Cloud from Loss and Breach

Does My Business Need to Conduct a Privacy Audit?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards