Surge in notification of data breaches likely to cause serious harm from malicious acts

The Office of the Australian Information Commissioner (OAIC) has recently reported that it received 1,113 notifiable data breach reports in 2024, marking a 25 per cent increase from the previous year and the highest annual total since the inception of the Notifiable Data Breaches (NDB) scheme in 2018 as part of the Privacy Act 1988. This surge highlights the growing risks businesses face in protecting personal data in an increasingly hostile cyber environment.

A notifiable data breach occurs when personal information is lost or accessed without authorisation, the breach is likely to cause serious harm, and remedial actions cannot prevent the risk of serious harm. The main source of the breaches in 2024 were malicious and criminal attacks with an overwhelming majority stemming from cyber security incidents.

Australian Privacy Commissioner, Carly Kind, has said, "The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase."

Regulatory responses and enforcement

In June 2024, the OAIC commenced a civil action against Medibank for seriously interfering with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access in breach of APP 11. The OAIC considered Medibank's size, resources and the nature and volume of sensitive and personal information that it handled as part of its assessment before commencing proceedings, and in light of Medibank's resources and the sensitive and personal information it held, remote access to Medibank's network should have only been possible with multi-factor authentication.

APP 11 requires that entities take "reasonable steps" to secure personal information from misuse, loss, or unauthorised access.

More recently the OAIC has stepped up its enforcement actions in response to its expanded scope of civil penalties from the recent Privacy and other Legislation Amendment Act 2024, passed in the avalanche of legislation pushed through federal parliament on November 29, 2024.

What should organisations be doing?

While there is no fixed definition of what constitutes "reasonable steps" under the Privacy Act, the appropriate measures will depend on the specific circumstances of each organisation. However, several key factors are typically considered when determining what steps may be reasonable:

• the nature and size of the APP (Australian Privacy Principles) entity;
• the volume and sensitivity of the personal information it holds;
• the potential adverse consequences if a breach occurs; and
• the practicality and cost of implementing relevant security measures.

To meet these obligations, organisations should consider both technical and organisational measures such as the following.

• Governance, Culture, and Training
  • Develop and implement organisation-wide privacy and security policies
  • Conduct regular training for staff to ensure awareness of privacy obligations and breach response protocols
• Internal Practices, Procedures, and Systems
  • Establish robust internal data handling procedures
  • Undertake security assurance testing, especially for sensitive or critical information
  • Implement multi-factor authentication (MFA) for system access
• ICT Security
  • Enforce strong password and access management controls
  • Secure networks, devices, and applications to prevent unauthorised access
• Data Lifecycle Management
  • Ensure the secure destruction or de-identification of personal information when it is no longer required.

By aligning with these practices, organisations can better demonstrate that they have taken reasonable steps to protect personal information, as required by the Privacy Act.

Authors

Andrew Chalet | Partner | +61 3 8080 3542 | achalet@tglaw.com.au

Dianne Beer | Special Counsel | +61 2 8248 5816 | debeer@tglaw.com.au

Andrea Roque | Law Graduate

Staying informed and compliant

We invite you to join our upcoming Continuing Professional Development (CPD) session to be presented by our Brisbane team of Hayden Delaney and Steven Hunwicks:

The Best Offence is a Good Defence: 'Reasonable Steps' to Meet Cyber Risk and Privacy Obligations

24 June 2025, 1:00PM AEST

This session will provide practical insights into regulatory expectations and how your organisation can build robust privacy and cyber risk frameworks. If you would like to attend via Zoom please contact rsvp@tglaw.com.au.

‍