Skip to content

My online business website has had a data breach – what can I do?

It is a legal requirement on businesses, agencies and organisations to notify individuals when a breach of security has resulted in the disclosure of personal information. This data breach notification is required by the Privacy Act 1988 (Cth) – agencies and organisations are required to take reasonable steps to maintain the security of the personal information they collect. Any information that is misused, interfered with, or lost from unauthorised access, modification or disclosure must be disclosed. Notification of a data breach supports good privacy practice.

Data Breaches

Data breaches are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. If a data breach takes place, notification can be an important mitigation strategy. It can also promote transparency and trust in the organisation or agency.

Examples of data breaches:

  • lost or stolen laptops and storage devices
  • hacking of databases
  • employees accessing unauthorised information
  • paper records stolen
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person

Reasonable Steps to Prevent Breaches of Data

Organisations are required to prepare and implement a data breach policy and response plan. This should include notifying affected individuals and the OAIC (Office of the Australian Information Commissioner) of any breach. If there is a real risk of serious harm as a result of any breach of data, the OAIC should be notified.

Continue reading this article below the form
Loading form

Responding to a Data Breach

There are four key steps to consider when responding to a breach or suspected breach:

  • Step 1: Contain the breach and do a preliminary assessment. This involves taking immediately steps to contain the breach and designate a person or team to coordinate response.
  • Step 2: Evaluate the risks associated with the breach. Consider what personal information is involved.
  • Step 3: Notification. This will involve a risk analysis.
  • Step 4: Prevent future breaches by fully investigating the cause of the breach.

In determining notification, agencies should notify the individuals affected by the breach. However, in some cases it may be appropriate to notify the individual’s guardian or authorised representative on their behalf. The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC. The precise wording of the notification notice may have legal implications. Organisations should seek legal advice. The legal implications could include secrecy obligations that apply to agencies.

Preventing Future Data Breaches

In preventing future data breaches, organisations and agencies should implement a breach response plan or a breach response team to handle incidents from occurring again. Enhancing transparency through internal communication and training can also prevent future breaches.

Conclusion

If your business, organisation or agency has been involved in a data breach, our lawyers can assist you with your obligations in complying with the Privacy Act. Please call our office on 1300 544 755 and our Client Care team will happily provide you with an obligation-free consultation and a fixed-fee quote.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Lachlan McKnight

Lachlan McKnight

CEO | View profile

Lachlan is the CEO of LegalVision. He co-founded LegalVision in 2012 with the goal of providing high quality, cost effective legal services at scale to both SMEs and large corporates.

Qualifications: Lachlan has an MBA from INSEAD and is admitted to the Supreme Court of England and Wales and the Supreme Court of New South Wales.

Read all articles by Lachlan

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards