Snapshot
- A compensation case brought by one individual impacted by a NSW government data breach has resulted in a significant determination, as the breach revealed wholly inadequate data security practices at the agency.
- The case is relevant to all organisations because of the nature of the conduct found to breach data security requirements in privacy law, how the breach was notified to affected individuals, the size of the compensation payout and the other remedies ordered.
- A Mandatory Notification of Data Breaches Scheme will commence for NSW public sector agencies, local councils and universities on 28 November 2023.
While we wait for the repercussions of the Optus, Medibank and Latitude Financial data breaches to play out through investigations and class actions, a less publicised data breach by a NSW government agency has resulted in a case notable for its compensation payout and other significant remedies. At the time of the breach, NSW public sector agencies were covered by a voluntary notifiable data breach scheme. A mandatory scheme will commence on 28 November 2023. The NSW Civil and Administrative Tribunal’s (‘NCAT’) autopsy of what icare did, both before and after a data breach, provides a lesson for organisations of any type.
The breach: A simple error snowballs
The case of FMM v Nominal Insurer [2023] NSWCATAD 114 arose out of a data breach affecting almost 200,000 people. The data breach was not the result of criminal conduct such as hacking or phishing, but a combination of factors. NCAT described it as human error leading to system failure. The incident could also be characterised as reflecting an under-investment in privacy protection in the design of systems for handling and sharing high-value personal information.
icare manages the workers compensation scheme in NSW, on behalf of the Nominal Insurer. For employers over a certain size, it was icare’s practice to provide a monthly report to each employer about the status of all workers compensation claims affecting that employer. The monthly ‘cost of claims’ reports were set out in a spreadsheet, which included personal information about injured workers at that workplace. The information included each worker’s name, date of birth, gender, description of occupation, date of injury, nature of the injury or disease, working days lost, whether liability was accepted or declined, weekly compensation payment amount and gross amount paid on the claim.