With major cyber incidents making headlines across Australia, data breaches are no longer just an IT problem – they’re a major legal and business risk. Australian law imposes serious consequences for failing to protect personal information, including fines, regulatory enforcement, and even personal liability for directors.
In this checklist, our data and privacy law team outlines what your organisation needs to include in a legally compliant Data Breach Response Plan, in line with the Privacy Act 1988 (Cth), the Corporations Act, and the Security of Critical Infrastructure Act.
Key Takeaways
Businesses must take reasonable steps to secure personal data and respond to breaches
Certain breaches must be reported under the Notifiable Data Breaches (NDB) scheme
Directors can be held personally liable for failure to oversee cyber risks
The OAIC, ASIC, and other regulators can issue fines or pursue legal action
Strong contracts, insurance, and a well-tested response plan help reduce exposure
What is a Data Breach?
A data breach occurs when personal information held by an entity is subject to:
- Unauthorised access
- Unauthorised disclosure
- Loss likely to result in unauthorised access or disclosure
Common examples include phishing attacks, employee snooping, or lost unencrypted devices.
Learn more about data breaches in our article.
Your Data Breach Response Plan: A Step-by-Step Checklist
A strong response plan helps your organisation respond quickly, meet legal obligations, and reduce damage.
1. Before a Breach Occurs
Preparation is key. Your business should prepare and Incident Response Plan and:
Implement a cybersecurity framework (e.g. ISO 27001, Essential Eight)
Encrypt all portable devices and use multi-factor authentication
Run regular penetration tests and vulnerability scans
Train employees on phishing, social engineering, and escalation
Include cybersecurity warranties and audit rights in contracts
2. Assign Key Internal Roles
Before an incident occurs, designate the people responsible for managing a breach:
Incident Commander – Often the General Counsel or legal lead
Technical Lead – CIO, CISO, or Head of IT
Communications Lead – Internal/external PR or marketing team
Clearly defined roles ensure a fast and coordinated response.
3. During a Breach
If a breach occurs:
Activate your Incident Response Plan promptly
Isolate affected systems to contain the breach
Involve forensic specialists
Revoke or reset access credentials where needed
4. After the Breach
Once the breach is under control:
- Assess whether it is likely to cause serious harm under the NDB scheme
- Notify the OAIC and affected individuals within 30 days if the breach is notifiable
- Document every step of the response, investigation, and resolution
- Review and update your internal policies, controls, and contracts
Frequently Asked Questions
Who must comply with the Notifiable Data Breaches (NDB) scheme?
APP entities, credit providers, TFN recipients, and small businesses that trade in personal information or handle consumer data under the Consumer Data Right.
For practical tips on implementing Privacy by Design principles tailored to the needs of SMEs, check out our article on Privacy by Design for SMEs.
What qualifies as “serious harm” for notification purposes?
Harm that a reasonable person would consider likely to cause significant financial, reputational, psychological, or physical damage to an individual
Can company directors be personally liable for a data breach?
Yes, if failure to oversee cyber-risk management breaches the duty of care and diligence under s 180(1) of the Corporations Act.
For a comprehensive breakdown of what Privacy Impact Assessments involve and how they benefit organisations, see our article “Privacy Impact Assessments for Businesses.”
How quickly must a business notify the OAIC of an eligible breach?
As soon as practicable and within 30 days of becoming aware of reasonable grounds to believe an eligible data breach has occurred
Are outsourced IT providers liable for breaches they cause?
Liability is governed by contract; well-drafted agreements should include express cyber-security obligations, warranties, and indemnities favouring the customer
About the Author
Farrah Motley
Contact an Australian Business Lawyer Today.
Contact us for a free consultation
