Major cyber incidents at large organisations have put data breaches in the national spotlight. Beyond reputational fallout, Australian businesses face stringent statutory duties, steep civil penalties and potential director liability for failing to secure personal information.
This article, by our Privacy and Data team, outlines current legislation, case law and best-practice guidance to help Australian organisations understand their legal obligations and reduce risk.
Key Takeaways
- APP entities must take reasonable steps to protect personal information and notify eligible breaches
- Company directors owe a duty of care and diligence that extends to cyber-risk oversight
- Critical infrastructure providers shoulder additional cyber obligations under the Security of Critical Infrastructure Act 2018 (Cth)
- OAIC investigations can lead to enforceable undertakings, determinations and civil penalties
- Robust contractual terms, cyber insurance and a tested response plan mitigate liability and financial loss
What is a Data Breach?
A data breach occurs when personal information held by an entity is subject to:
- unauthorised access
- unauthorised disclosure
- loss likely to result in unauthorised access or disclosure
Common examples include employee snooping, phishing attacks that expose customer records, or misplaced USB drives containing unencrypted files.
Types of Personal Information at Higher Risk
- Sensitive information (e.g. health data)
- Identity documentation (passport, driver licence, Medicare)
- Financial credentials
- Combined data sets that enable profiling or fraud
Core Statutory Obligations
Privacy Act 1988 (Cth)
APP 11: entities must take reasonable steps to protect personal information from misuse, interference and loss.
Part IIIC (NDB scheme): mandatory notification to affected individuals and the OAIC where a breach is likely to cause serious harm.
There are civil penalty provisions for serious or repeated interferences with privacy (up to $2.22 million per contravention for bodies corporate, subject to current indexation).
Guide: If you’re running a business and want to ensure you meet all your APP obligations, you’ll find detailed guidance in our Business Guide to Australian Privacy Principles.
Corporations Act 2001 (Cth)
s 180(1): directors and officers must exercise care and diligence, which includes adequate oversight of cyber-risk management.
Failure can expose directors to ASIC enforcement or derivative actions by shareholders.
Security of Critical Infrastructure Act 2018 (Cth)
Designated critical infrastructure assets must adopt and maintain a Risk Management Program and lodge mandatory Cyber Incident Reports.
Ministerial directions may also compel additional security measures.
Sector-Specific Legislation
In addition to the above legislation, the following applies to specific industries:
Telecommunications: Telecommunications (Interception and Access) Act 1979 (Cth) and Telecommunications Act 1997 (Cth).
Health: State-based Health Records Acts and the My Health Records Act 2012 (Cth).
Banking and financial services: APRA CPS 234 standard requires prompt detection and mitigation of information-security incidents.
Case Law Snapshot
Case | Key Point | Outcome |
Reasonable steps must be proactive and responsive to system vulnerabilities | Telstra required to give access and improve security | |
OAIC v Facebook Inc (ongoing) | Corporate accountability for data handling under APP 11 | Court examining adequacy of Facebook’s measures during Cambridge Analytica period |
Penalties and Enforcement Powers
Regulator | Power | Example |
OAIC | Determinations, enforceable undertakings, civil penalty applications | $2.1 million penalty ceiling for APP entities (pre-2022 amendments) |
ASIC | Director/officer liability under s 180 | Investigations following cyber incidents impacting market integrity |
Minister for Home Affairs | Directions to critical infrastructure operators | Mandatory security uplift orders |
Practical Steps to Prevent and Manage Breaches
Implement a Data Breach Response Plan
Having a data breach response plan is essential for any business that collects or stores personal information.
It ensures your team can act quickly and decisively if a breach occurs, limiting damage, protecting affected individuals, and meeting your legal obligations.
A clear, tested plan helps you avoid costly penalties, reputational harm, and delays in notification. In short, it’s a key safeguard for your business, your customers, and your compliance.
Contractual Risk Allocation
- Specific cyber-security warranties
- Indemnities that cover investigation, remediation and third-party claims
- Exclusion or limitation of consequential loss, subject to negotiating power
- Requirement for suppliers to maintain cyber insurance at agreed limits
Cyber Insurance
Modern insurance policies may cover:
- Data-forensic costs
- Business interruption losses
- Regulatory investigations and fines (where insurable)
- Incident response and ransom payments (subject to legality)
If your organisation handles personal information, now is the time to stress-test your cyber-security posture and review your contracts. Contact our team to arrange a tailored risk assessment and response plan.
Frequently Asked Questions
Who must comply with the Notifiable Data Breaches scheme?
APP entities, credit providers, TFN recipients and small businesses that trade in personal information or handle consumer data under the Consumer Data Right
What qualifies as “serious harm” for notification purposes?
Harm that a reasonable person would consider likely to cause significant financial, reputational, psychological or physical damage to an individual
Can company directors be personally liable for a data breach?
Yes, where failure to oversee cyber-risk management constitutes a breach of the duty of care and diligence under s 180(1) of the Corporations Act
How quickly must a business notify the OAIC of an eligible breach?
As soon as practicable and within 30 days of becoming aware of reasonable grounds to believe an eligible data breach has occurred
Does cyber insurance cover regulatory fines in Australia?
Coverage depends on the policy wording and the insurability of penalties under Australian law; some fines are uninsurable as a matter of public policy
Are outsourced IT providers liable for breaches they cause?
Liability is governed by contract; well-drafted agreements should include express cyber-security obligations, warranties and indemnities favouring the customer
What are “reasonable steps” under APP 11?
Measures proportionate to the entity’s size, the sensitivity of data, and the cost of safeguards, such as encryption, access controls, and incident-response planning.
Learn more about APP 11 on the OAIC’s website.
