The Office of the Australian Information Commissioner publishes Notifiable Data Breaches statistics twice annually. The data represents only breaches reported under the NDB scheme — primarily businesses above the $3 million turnover threshold. With the proposed removal of the small business exemption, the reporting population and the statistics it produces will expand significantly.
Cyber Incidents vs Human Error
Consistently, approximately half of NDB notifications relate to malicious or criminal attacks — cyber incidents, ransomware, and deliberate data theft. The other half relate to human error — documents sent to the wrong recipient, staff emailing client information to personal accounts, inadequate access controls. Both categories require attention but through different controls.
Healthcare and Finance Lead by Volume
The healthcare sector has consistently led NDB notification volumes since the scheme's inception in 2018. Financial services follows. Both sectors hold highly sensitive personal information in large volumes, face elevated targeting, and have relatively mature breach detection and reporting practices. The volume of notifications from these sectors partly reflects detection capability rather than a uniquely worse security posture.
Contact Information Is the Most Commonly Breached Data Type
Contact information — names, email addresses, phone numbers, addresses — features in the majority of NDB notifications. Financial details and identity information are reported less frequently but represent the highest harm potential. The composition of the breached data determines the notification obligations and the harm assessment.
If our business is currently below the $3 million threshold, should we prepare for NDB obligations now?
Yes. The Privacy Act reforms propose removing the small business exemption. The timeline is uncertain but the direction is clear. Businesses that establish breach detection and response procedures, conduct a data inventory, and train staff on data handling before the exemption is removed will be better positioned than those that treat it as a future compliance project.
