There has been a dramatic increase in data breaches in the past few months as hackers have taken advantage of the COVID-19 pandemic. Australia\u2019s government is doing its part through a series of initiatives, including the Notifiable Data Breaches (NDB) scheme, a revision to its cyber security strategy, and funding of security education in universities.In a recent threat update by the Australian Cyber Security Centre (ACSC), Australians were asked to be especially careful when opening coronavirus-themed emails and text messages because malicious cyber actors are exploiting people\u2019s fears and searches for up-to-date information.Australians are currently being targeted by a wide variety of phishing schemes, most designed to steal sensitive, personal information or to install malicious software on the user\u2019s connected device. However, looking at the figures going back to July 2019, Australians had become a hacking favorite even before the pandemic struck. Between July and December 2019, the Office of the Australian Information Commissioner (OAIC) logged a 19 percent increase in the number of data breaches compared to the first six months of 2019. One in three breaches could be traced back to compromised login credentials.Data breaches and the NDB notification rulesWhile Australia\u2019s digital infrastructure is mainly owned by the private sector, its cyber security is a shared responsibility between government and industry. The government\u2019s well-established NDB scheme gives clear guidelines in the event that data breaches should occur and have uncovered almost 1,000 data breaches during its first year, pushing both the government and the private sector to take a proactive cyber defense stance.Australia\u2019s NDB Scheme is regulated by law and clearly defines the mandatory notifications and control requirements around data breaches. Australia\u2019s definition of a data breach includes any unauthorized disclosure or access to sensitive personal information.As such, any attack that leads to access of phone numbers, banking information or medical data (even if it doesn\u2019t exfiltrate the data) needs to be reported. The NDB scheme\u2019s privacy amendments do provide for turnover and harm thresholds, very much in line with the US harm thresholds as well as the European Union\u2019s GDPR data breach guidelines.In line with the NDB scheme\u2019s rules, an organization must alert the Australian authorities as soon as it becomes aware of a harmful breach event. The breach details, type of and amount of data accessed, and the steps those affected need to take must be provided in each report.Should an organization fail to report data breaches on two or more occasions, the OAIC may seek a civil penalty of up to $2.1 million against the organization. That may sound severe, given that many organizations are unaware of their server or online vulnerabilities, but the remediation exceptions do give the covered entities some breathing room.If the breached organization can show actions taken on their part involving the unauthorized disclosure or access before it resulted in serious harm, they do not need to report it. As such, many Australian organizations have adapted refined and highly structured threat modeling processes to identify, quantify and prioritize any cyber threats.Many organizations have come to rely on alerting systems to ensure any network anomalies are picked up to stop breaches before too much harm can be done. These alerts can take many forms, but when it comes to data breaches, many configure their email environment in such a way that no emails can be automatically forwarded to external email addresses. Alerts may also be set up in such a way that it may trigger scripts to disable all accounts in order to prevent harmful behaviour.Australia\u2019s NDB scheme effectively acts as the public\u2019s alerting system.Consumer protections can undermine NDBWhilst the NDB scheme appears to provide a rigorous model for tracking and reporting data breaches in Australia, this system does not exist in isolation, and other pieces of legislation in the country could undermine its efficacy.Analysts have long noted that the Australian government is taking a problematic approach to data privacy. Whilst the NDB aims to protect consumers from the poor security practices implemented by the companies that collect their data, other laws in the country seem to actively undermine the right to privacy. Much of this criticism has been targeted at the recent passing of a bill that aims to prevent the use of strong encryption. The Australian government has claimed that national security can only be ensured as long as the government has access to user data, and this means that tech companies must build back doors into their encryption schemes that allow them to be decrypted.>Even if this provision is used responsibly by the Australian government, it creates huge problems for data security. Even a basic understanding of how that encryption works is enough to show why this is the case: There is no back door that can be used by the government whilst not simultaneously being open to exploitation by hackers (or, in fact, other governments). Whilst the NDB therefore provides information to Australians on when and where their data has been made public, other aspects of their government\u2019s approach could lead to such data breaches becoming more common.What\u2019s next for Australian government cyber security strategyThe Australian government is currently developing its\u00a02020 Cyber Security Strategy that will serve as a successor to the 2016 Cyber Security Strategy. The new strategy will address the continuing rise of IoT devices and its influence on network security, smart or connected cities, the establishment of 5G networks as well as the threats that may arise due to our increasingly connected world.The Cyber Security Strategy is also focused on their initiatives aimed at addressing critical skill-shortages. The Academic Centres of Cyber Security Excellence (ACCSE) encourages students to follow careers in cyber safety and other security-related industries. The program gives recognition to those universities that demonstrate high-level cyber security education and training proficiencies, and it will provide $1.9 million in government funding to universities to establish and develop ACCSE programs.