What Should I Do if I Think My Business Has Had a Data Breach?

As a business owner, you may, unfortunately, experience a data breach. A data breach occurs when personal information that an organisation holds becomes accessible without authorisation. For example, this may occur when a staff member sends an email with a client’s personal information to the incorrect recipient, or perhaps a hacker attacks your internal database. Data breaches are a continual risk for many businesses. Accordingly, your business must know its notification obligations to affected individuals and regulatory authorities. 

It is essential that, as a business, you familiarise yourself with your privacy and data obligations and develop an appropriate plan to ensure effective responses to potential data breaches. This article explores the kinds of obligations your business may have and the steps you may take in the event of a data breach.

What is the Notifiable Data Breach Scheme?

The Scheme applies to entities covered under the Australian Privacy Act 1998 (‘Privacy Act’). You may be an APP Entity if your business:

• earns an annual turnover of $3 million or more;
• provides a health service or holds health information (other than in an employee record);
• buys or sells personal information; or
• is a contracted service provider for a Commonwealth contract.

Businesses can also elect for coverage under the Privacy Act. Under the Scheme, a business must notify the Office of the Australian Information Commissioner (‘OAIC’) if it has reasonable grounds to believe that an ‘eligible’ data breach has occurred.

Let us explore the procedure your business should follow.

1. Containing a Breach

Following a data breach, you must take immediate steps to appropriately contain the breach. You should remediate any potential harm to affected individuals. Furthermore, you should record and preserve information and evidence of the suspected or actual data breach.

The steps to contain and remediate potential harm to individuals will depend on the kind of data breach. Accordingly, it is best to consult with your internal response and tech teams to determine the most appropriate steps.

2. Assessing Risk and Determining Whether a Data Breach Is Notifiable

Following containment of a data breach, you must take all reasonable steps to assess the risk of the data breach and consider whether a data breach is ‘notifiable’ under the Scheme.

An eligible or notifiable data breach occurs where you meet the following three criteria:

• there is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
• this is likely to result in serious harm to any individuals to whom the information relates; and
• the organisation or agency cannot prevent the likely risk of serious harm with remedial action.

In assessing the risk of serious harm, it is important to consider:

●   whether the personal information involved in the breach is sensitive;

●   whether the likely harm is physical, psychological, emotional, financial or reputational;

●   the adequacy of the security measures protecting the information; and

●   the types of people who may obtain the information and the likelihood of their intention to cause harm.

For example, a typical example of serious harm includes where unauthorised access to a customer’s financial information leads to theft of their identity or the customer’s financial loss through fraud.

3. Notification

If you determine that the data breach is notifiable under the Scheme, you must issue the following notifications: 

●   OAIC notification; and

●   notification of the individuals whose information was affected by the breach.

You can make a report to the OAIC, which should include: 

• your contact details;
• a description of the breach (including whether anyone accessed the information); and 
• the kinds of information affected by the breach.

When notifying individuals, you should do so directly, including via email or telephone. If this is impossible, you should publish a statement on your website. This notification should include information regarding the circumstances of the breach, the potential impact of the breach and recommendations as to how individuals should respond to the breach to mitigate any harm.

4. Preventing Future Breaches

Following a data breach, your business must implement a plan to prevent future data breaches from occurring. You can limit the impact of a breach by implementing a Data Breach Response Plan (DBR Plan), setting out:

• who in the business is responsible for dealing with the breach; and
• what actions they must take if a breach occurs.

Your DBR Plan may also include requirements for the business to:

• record and archive information regarding data breaches and the breach responses;
• conduct ongoing post-breach reviews to assess the effectiveness of any response plans;
• execute any policy or procedure changes to address weaknesses in your security system; and
• train staff on those policies and procedures.

Due Diligence Guide for Purchasing a Business

Before buying a business, it is important to undertake due diligence, to verify the information supplied by the seller. This guide will walk you through the due diligence process.

Download Now

Key Takeaways

In summary, you must understand the potential obligations to notify the relevant parties if a data breach occurs. Therefore, by ensuring that you have an appropriate data breach response plan, you can ensure that you are acting in compliance with your obligations under Australian Privacy Laws.

If you require assistance managing a potential data breach, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions