This report presents the findings of a research project examining organisational data breach disclosure and notification practices with the aim of evaluating how organisations are navigating the increasingly complex space of data breach notifications. The report presents ten key findings and associated recommendation(s) to support an improved disclosure regime and guide organisational best practice as data breach notification assessments are made. 

Data breaches occur when personal information is accessed, disclosed without authorisation, or lost. The World Economic Forum reports that instances of compromised data increased globally by 72% between 2022 and 2023. In Australia, data breaches are rising in both size and frequency, with a significant impact on individuals and organisations. For individuals, the consequences include compromised privacy, ‘serious harm’ (including, but not limited to, psychological, reputational, and financial harm) and identity theft. For organisations, breaches are costly and sometimes disastrous.

The key findings are presented under the following themes:

1. Definitional challenges: ‘likely to cause serious harm’?
2. Incentive design challenges: ransoms, fines and workplace culture.
3. Regulation: more resourcing and powers?
4. Notifications: too much or not enough?
5. Third-party vendors: who notifies?
6. Data retention: how long to store data?
7. Production data testing: unnecessarily increasing risks?
8. Not-for-profits: unique challenges
9. Cyber experts: more than a niche skill?
10. Best practice: optimisation through industry collaboration?