Reading time: 6 minutes

Online survey and form building service Typeform recently reported a data breach had taken place in its systems. While the vulnerability has been patched, Australian companies that use the form building software, ranging from Airtasker and Bakers Delight to the Tasmanian Electoral Commission, have revealed some data may have been compromised during the breach. The effects of the data breach are far-reaching, with the potential to affect many more companies.

This article sets out the steps you should take if your business has been affected by the breach. Specifically, it explains whether you need to notify your customers of the breach and how you can safeguard your business against future breaches.

What is the Typeform Data Breach?

Typeform is a Barcelona-based Software as a Service (SaaS) provider. It provides software to companies for online surveys, competitions and webforms. Hackers attacked Typeform’s data backups for surveys conducted before 3 May 2018 and gained access to personal information. According to the affected companies, this information included names and email addresses. For some organisations, such as the Tasmanian Electoral Commission, the data breach is more serious as the breach compromised electoral details for up to 4,000 voters. 

Does Your Business Need to Comply with the Notifiable Data Breach Scheme?

If your business needs to comply with the Privacy Act 1988 (Cth), it should also comply with the Notifiable Data Breaches (NDB) scheme. Under the NDB scheme, a business must report severe privacy breaches to the Office of the Australian Information Commissioner (OAIC). Businesses must also notify the individuals affected by the breach.

The Privacy Act and NDB scheme apply to certain entities in Australia such as:

  • entities with an annual turnover of more than $3 million (including charities and not-for-profit organisations);
  • health service providers (including gyms);
  • some small businesses (including those selling or purchasing personal information); and
  • entities that ‘opt-in’ and choose to comply with the Australian Privacy Principles.

Other small businesses might also need to comply with the NDB scheme. 

What You Should Do if You Think a Notifiable Data Breach Has Occurred

When it comes to reporting, it is not enough that a data breach has occurred. The breach must also satisfy the following criteria:

  • your business must have had unauthorised access to or unauthorised disclosure or loss of personal information. For example, a database is hacked as in the Typeform incident;
  • the loss, access or disclosure is likely to result in serious harm to a person; and
  • your business has not been able to prevent the likely risk of serious harm.

What is Serious Harm?

Your business must assess the breach to determine if it is likely to cause serious harm. You must do this within 30 days of the suspected data breach occurring.

The NDB scheme lists the relevant matters that can assist you in determining whether the data breach will result in serious harm. These include:


Relevant Matter Explanation
Sensitivity of the information Disclosure of sensitive information such as medical records or sexual orientation is much more likely to cause serious harm.
Type of information Even if the information is not ‘sensitive’, certain kinds of information such as credit card details, Medicare numbers or drivers licences may be more likely to result in serious harm.
Whether security measures protect the information If the information remains encrypted, and those who can now access it cannot break the encryption, release of the information may not have caused serious harm.
The nature of the harm Releasing credit card details will have immediate and serious consequences. In comparison, releasing only a person’s name will not.


However, ‘serious harm’ is not limited to financial loss. It can also include identity theft, loss of employment opportunities, workplace bullying and reputational damage. Therefore, your assessment procedure must consider all possible types of harm.

In the case of the Typeform data breach, your business will need to assess the type of information hacked and whether the breach is likely to cause serious harm. In any event, you might decide that it is good business practice to inform your customers if a data breach has occurred. This is particularly so if the breach has been in the media.

How to Report Notifiable Data Breaches

If you have reasonable grounds to believe that your business has suffered a reportable data breach, you must notify the individuals affected by the breach, for example, by email. You must also inform the OAIC. Your notifications should include:

  • the business and its contact details;
  • a description of the data breach;
  • the type of personal information that was disclosed; and
  • your recommendations regarding the steps individuals should take to respond to the breach. For example, by changing their password.

How Can I Prepare My Business For Data Breaches?

If your business needs to comply with the NDB scheme, you should update your privacy policy and procedures. The OAIC also recommends that you prepare a data breach response plan.

Furthermore, you should review any IT contracts under which your business discloses or receives personal information. As part of this review, you should seek control over determining whether a notifiable data breach has occurred. Therefore, you should not leave it to the other party to make the assessment.

Data Breaches in the European Union

If your business collects personal information belonging to EU residents, you may need to comply with additional reporting requirements in the EU’s General Data Protection Regulation (GDPR). If your business needs to comply with the GDPR, you have up to 72 hours to notify the relevant supervisory authority of a reportable personal data breach. The reporting requirements require that you:

  • describe the nature of the personal data breach, the categories and approximate number of people and data records concerned;
  • have a contact point in your business where the supervisory authority can obtain more information;
  • describe the likely consequences of the data breach; and
  • describe any measures taken, or proposed to be taken, by your business to address the breach and where appropriate, any measures taken to mitigate adverse effects.

The GDPR imposes fines on businesses for non-compliance of up to ten million Euros. Therefore, you should develop or update any internal breach notification procedures and set up adequate data breach identification systems. You should also have a data breach response plan to ensure you are well-prepared in the event of a data breach.

Key Takeaways

You should always prepare your business in the event a data breach happens. This is especially the case if your business needs to report notifiable data breaches or comply with the GDPR. To do this, you must create assessment procedures to determine if a data breach if notifiable, draft a data breach response plan and review your IT contracts. This means you will be in a better position to respond to a potential data breach and protect your customers against unauthorised access to or use of their data.

If you believe your business has been involved in the Typeform data breach, or if your business needs help to comply with the Notifiable Data Breaches scheme or the GDPR, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards