Would the Domino's Pizza and Uber data breaches be notifiable under the new NDB scheme?

The mandatory notifiable data breach scheme (NDB Scheme) in the Privacy Amendment (Notifiable Data Breaches) Act 2017 is in force.

The NDB Scheme requires relevant organisations to notify any affected individuals in circumstances where there has been unauthorised access to, disclosure of, or loss of, personal information held by the organisation, where a reasonable person would perceive that the access or disclosure of such information is likely to result in a real risk of "serious harm" to any individuals affected by the breach, be it physical, psychological, emotional, financial, or reputational damage.

With the NDB Scheme now in operation, it is worth considering two recent high-profile data breaches to illustrate how the NDB Scheme might apply in similar scenarios.

Domino's Pizza

In October 2017, Domino's Australia notified customers that it was investigating a potential issue with a former supplier's systems which may have led to the access of a number of customer email addresses, names and store locations where customers placed orders. The data was used to send phishing emails to Domino's customers which looked legitimate by addressing them by first name and mentioning their local suburb in an attempt to provoke a reply.

Would this be a notifiable breach?

While the personal information did not include information such as financial accounts, credit or debit card numbers or other sensitive information, the combination of names, addresses and store purchase locations could have created a greater risk of harm to the individuals (including locating them with the possibility of physical harm) than a single piece of information. The amount of data about the individuals concerned, the potential for them to be located using the data, and the fact that this much information about the customers ended up in the hands of a 'phishing' email sender, would surely have made it a notifiable data breach under the NDB Scheme.

Uber

Uber recently announced that it was subject to a hack in which its customer data was downloaded from a third party cloud server used by Uber. The data included names, email addresses and mobile phone numbers of 57 million users worldwide and, in some cases, Uber drivers' licence numbers. Uber allegedly paid $USD100,000 to the hackers in order to conceal the breach.

Would this be a notifiable breach?

Uber has allegedly stated that it does not consider an email address to be personal identifiable information, and claims that no user's financial, credit card, or journey information was accessed. As with the Domino's case, the combination of the various types of personal information breached, and the significant extent of the breach, would likely mean that this would be a notifiable breach under the NDB Scheme.

If there is a Notifiable Data Breach, what should you do next?

If the Domino's and Uber breaches were notifiable breaches under the NDB Scheme, each would need to:

1. notify the individuals affected by the breach. This notification would need to include, among other things, a description of the breach and the type of personal information involved;
2. notify any third parties as required by legislation. For example, some legislation may require that health care providers or the Office of the Australian Information Commissioner (OAIC) be notified in certain circumstances; and
3. implement a prevention plan to prevent similar breaches in the future. If organisations fail to comply with the NDB Scheme, they can incur civil penalties of up to $1.8 million.

Businesses and organisations should ensure that they have a "data breach response plan" with clear roles and responsibilities assigned to staff to contain, assess, evaluate, and if necessary, notify affected individuals and the OAIC of the breach. A robust plan will not only minimise the impact of the breach, it will help achieve compliance with the NDB Scheme. This is especially important given the significant consequences of non-compliance, including penalties of up to $1.7 million as well as potential compensation for damages.

The OAIC has provided a useful flow chart on how to respond to a data breach – see  https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/flowchart.pdf.