In August, Australia’s second-largest internet provider iiNet announced a cybersecurity attack had occurred, exposing the email addresses and phone numbers of hundreds of thousands of its customers. While this was a terrible incident for the customers involved, it serves as a reminder to other businesses of the need to prevent and be prepared for data breaches.
A data breach is when personal information is accessed, lost or disclosed without authorisation. Personal information is defined in the Privacy Act 1988 (Cth) (Privacy Act) as any information or opinion about an individual who is either identified or reasonably able to be identified. If your business is subject to the Privacy Act and there is an eligible data breach, then you have various obligations under the Notifiable Data Breach (NDB) scheme, including to report the data breach to the Office of the Australian Information Commission (OAIC) and the affected individual.
To comply with your obligations under the NDB scheme, your business approach should be three-fold:
- establish systems to prevent data breaches;
- understand when you have to report a data breach; and,
- develop a data breach response plan in case a breach occurs.
Preventative steps to minimise and avoid data breaches
The best way for a business to avoid a data breach is to do everything reasonably possible to prevent it from occurring in the first place. Data breaches can be caused by criminal or malicious attacks, system faults and human error (meaning the unintended action by an individual resulting in a data breach). In the OAIC 2024 reporting period, 69% of Australian data breaches were due to criminal or malicious attack, 29% were due to human error, and 2% were due to system faults.
Common and effective preventative steps include:
- educating employees about how to handle information securely;
- regular employee training sessions on bad actor techniques such as phishing, malware and ransomware;
- mandatory password changes;
- multifactor identification;
- using firewalls and encryption software on devices and documents; and
- proactive monitoring of systems to identify authorised and unauthorised access to systems.
Any prevention method your business employs should be regularly updated and reviewed to ensure it is effectively protecting information held by your business.
Reducing the personal information your business holds
The damage from a data breach can also be minimised by your business not collecting or holding unnecessary personal information about an individual. Your business should only collect and hold personal information that is reasonably necessary for your business needs and necessary for complying with other legal obligations.
For example:
- If your business is required to retain an individual’s tax information for a specified time, after that time, the tax information should be destroyed or disposed of so that if a data breach occurs, that information is not at risk of being exposed.
- If you need to collect information that is high risk, such as driver’s licences, passports or credit card details, then you should question whether it is necessary to retain such information after its use.
When to report a data breach
A data breach needs to be reported when an eligible data breach has occurred. An eligible data breach is a breach that is likely to result in serious harm to an individual. Serious harm is not defined in the Privacy Act, but can include physical, psychological, emotional, economic, financial harm and serious harm to an individual’s reputation.
You must assess whether or not a breach is reportable within 30 days of your business having reasonable grounds to suspect an eligible breach has occurred. The eligible data breach must then, as soon as possible, be reported to the affected individuals and the OAIC. The content of the report must be carefully prepared.
Having a data breach response plan
Even if your business takes all possible preventative steps, a data breach may still occur.
Therefore, having a data breach response plan will enable your business to act quickly to reduce the consequences of the breach and notify individuals so they can prepare for any repercussions. A data breach response plan should include:
- who is part of your business data breach response team and what their roles are;
- the step-by-step process for managing the data breach;
- what will be considered when reviewing the data breach;
- how and when individuals and the OAIC will be notified; and
- if your business has any reporting obligations to any cybercrime insurers or to external partners, suppliers or clients.
A robust data breach response plan that is effectively implemented may reduce potential fines and claims, and may also reduce the reputational damage your business sustains because of a data breach. Being proactive in your response to a data breach may also ensure your customers and other businesses trust and continue to do business with you.
Contact us
If you are an Australian business or individual requiring privacy advice, establishing or reviewing your data breach response plan, or seeking advice on preventing or handling data breaches, please contact a member of our Privacy & Data Protection team.
| Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation. © 2025 Rigby Cooke Lawyers |