Skip to content
LegalVision

What Should I Do if I Think My Business Has Had a Data Breach?

By May Preedeesanit
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • The Notifiable Data Breaches Scheme under the Privacy Act 1988 requires APP entities to notify both the OAIC and affected individuals where a data breach involves unauthorised access to personal information that is likely to result in serious harm and cannot be remediated.
  • Following a data breach, businesses must act promptly to contain the breach, assess whether it meets the threshold for notification, and issue notifications to the OAIC and affected individuals that include a description of the breach, the types of information affected, and recommended steps for individuals to mitigate harm.
  • Businesses should implement a Data Breach Response Plan that assigns clear responsibilities, establishes response procedures, and includes ongoing staff training and post-breach reviews to prevent future incidents.
  • This article is a guide to data breach notification obligations for business owners operating in Australia, produced by LegalVision, a commercial law firm.
  • LegalVision specialises in advising clients on privacy law and data protection compliance.

Tips for Businesses

Prepare a Data Breach Response Plan before a breach occurs, assigning clear responsibilities and response steps. Assess any breach promptly against the three eligibility criteria under the Scheme. Notify the OAIC and affected individuals directly where possible, and publish a website statement if direct notification is not practicable.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

A data breach occurs when personal information your organisation holds becomes accessible without authorisation, whether through human error, a cyberattack, or a system failure. When a breach happens, your business may have legal obligations to notify both affected individuals and the relevant regulatory authorities. This article explores the kinds of obligations your business may have and the steps you may take in the event of a data breach.

What is the Notifiable Data Breach Scheme?

The Notifiable Data Breach Scheme (the ‘Scheme’) was introduced in February 2018 and sets out mandatory reporting requirements for organisations in case of a data breach involving personal information.

The Scheme applies to entities covered under the Australian Privacy Act 1998 (‘Privacy Act’). You may be an APP Entity if your business:

  • earns an annual turnover of $3 million or more;
  • provides a health service or holds health information (other than in an employee record);
  • buys or sells personal information; or
  • is a contracted service provider for a Commonwealth contract.

Businesses can also elect for coverage under the Privacy Act. Under the Scheme, a business must notify the Office of the Australian Information Commissioner (‘OAIC’) if it has reasonable grounds to believe that an ‘eligible’ data breach has occurred.

Let us explore the procedure your business should follow.

1. Containing a Breach

Following a data breach, you must take immediate steps to appropriately contain the breach. You should remediate any potential harm to affected individuals. Furthermore, you should record and preserve information and evidence of the suspected or actual data breach.

The steps to contain and remediate potential harm to individuals will depend on the kind of data breach. Accordingly, it is best to consult with your internal response and tech teams to determine the most appropriate steps.

Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

2. Assessing Risk and Determining Whether a Data Breach Is Notifiable

Following containment of a data breach, you must take all reasonable steps to assess the risk of the data breach and consider whether a data breach is ‘notifiable’ under the Scheme.

An eligible or notifiable data breach occurs where you meet the following three criteria:

  • there is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
  • this is likely to result in serious harm to any individuals to whom the information relates; and
  • the organisation or agency cannot prevent the likely risk of serious harm with remedial action.

This means that where a data breach is not likely to cause serious harm to the individual or where you can sufficiently take action to prevent such harm from occurring, such a breach may not be considered notifiable under the Scheme.

In assessing the risk of serious harm, it is important to consider:

  • whether the personal information involved in the breach is sensitive;
  • whether the likely harm is physical, psychological, emotional, financial or reputational;
  • the adequacy of the security measures protecting the information; and
  • the types of people who may obtain the information and the likelihood of their intention to cause harm.

For example, a typical example of serious harm includes where unauthorised access to a customer’s financial information leads to theft of their identity or the customer’s financial loss through fraud.

3. Notification

If you determine that the data breach is notifiable under the Scheme, you must issue the following notifications: 

  • OAIC notification; and
  • notification of the individuals whose information was affected by the breach.

You can make a report to the OAIC, which should include: 

  • your contact details;
  • a description of the breach (including whether anyone accessed the information); and 
  • the kinds of information affected by the breach.

When notifying individuals, you should do so directly, including via email or telephone. If this is impossible, you should publish a statement on your website. This notification should include information regarding the circumstances of the breach, the potential impact of the breach and recommendations as to how individuals should respond to the breach to mitigate any harm.

4. Preventing Future Breaches

Following a data breach, your business must implement a plan to prevent future data breaches from occurring. You can limit the impact of a breach by implementing a Data Breach Response Plan (DBR Plan), setting out:

  • who in the business is responsible for dealing with the breach; and
  • what actions they must take if a breach occurs.

Your DBR Plan may also include requirements for the business to:

  • record and archive information regarding data breaches and the breach responses;
  • conduct ongoing post-breach reviews to assess the effectiveness of any response plans;
  • execute any policy or procedure changes to address weaknesses in your security system; and
  • train staff on those policies and procedures.
Front page of publication
Notifiable Data Breach Factsheet

This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.

Download Now

Key Takeaways

In summary, you must understand the potential obligations to notify the relevant parties if a data breach occurs. Therefore, by ensuring that you have an appropriate data breach response plan, you can ensure that you are acting in compliance with your obligations under Australian Privacy Laws.

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced privacy lawyer help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is a notifiable data breach?

A notifiable data breach occurs when the following three conditions are met. Firstly there is unauthorised access to, disclosure of or loss of personal information held by your business. Secondly, the breach is likely to cause serious harm to the individuals whose information is affected. Finally, your business is not able to reduce this harm.

What do I need to do if a notifiable data breach has occurred?

If an NDB has occurred, you must notify OAIC and the individuals whose information was affected by the NDB. Generally, your notification should include a description of the breach (including the circumstances of the breach and what kind/s of information was affected), the potential impact of the breach on the individuals affected, and any steps that you recommend for those affected individuals to take to mitigate any risks resulting from the NDB.

Which businesses are covered by the Notifiable Data Breach Scheme?

The Scheme applies to APP Entities under the Privacy Act, including businesses with annual turnover of $3 million or more, health service providers, businesses that buy or sell personal information, and contracted service providers for Commonwealth contracts. Businesses can also voluntarily elect for coverage.

What should a Data Breach Response Plan include?

A DBR Plan should identify who is responsible for managing a breach and the actions they must take. It should also include requirements to record breach information, conduct post-breach reviews, update security policies and procedures, and train staff on those updated policies.

Register for our free webinars

Global Disruption And Rising Costs: What Your Contracts Should Cover

Online
Manage global disruption and rising costs with clearer contract terms. Register for our webinar today.
Register Now

Avoiding ACCC Scrutiny: Five Traps in NDIS and Aged Care

Online
Avoid common compliance traps in NDIS and aged care. Register for our free webinar.
Register Now

You’ve Been Hacked! Legal Steps and Duties After a Data Breach

Online
Learn breach reporting requirements, act within 30 days, notify correctly, and establish a clear response plan. Register now.
Register Now

Buying a Business: The Roadmap From Offer to Settlement

Online
Learn the roadmap to buying a business, from due diligence and deal structure to risk management and settlement. Register today.
Register Now
See more webinars >

May Preedeesanit

Senior Lawyer | View profile

May is a Senior Lawyer in LegalVision’s Commercial team. She assists businesses seeking advice on commercial contracts, or developing their online presence and operating in the e-commerce space.

Qualifications: Bachelor of Laws, University of New South Wales.

Read all articles by May

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Do I Protect My Business Against Cyber Threats During COVID-19?

How Will Google’s Removal of Third Party Cookies Impact Your Business?

3 Common Legal Challenges Faced by E-Commerce Businesses

How Can Your Business Avoid IoT Data Breaches?

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards