There are a range of things to consider when a data breach happens. A key way to minimise risk once there has been a breach is to have a thorough and achievable breach response plan including:

  • containing and investigating the breach
  • remedying the breach (eg by recovering the data and ensuring it is not able to be misused by anyone who may have had access to it)
  • notifying your insurers / law enforcement
  • notifying regulators, affected individuals and third parties
  • improving security or practices to ensure the breach does not reoccur.

Data breaches involving personal or credit information

Data breaches involving personal information or credit information (for entities covered by the Australian Privacy Act 1988 (Cth) (Privacy Act)), or tax file numbers, fall under the mandatory data breach notification scheme in the Privacy Act.

This requires entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach occurs and where a reasonable person would conclude there is a likely risk of serious harm to affected individuals as a result of that data breach. An assessment of ‘serious harm’ will consider the kind of information, the sensitivity of the information and whether the information is protected by one or more security measures.

The notification must include:

  • the identity and contact details of the entity
  • a description of the data breach
  • the kind of information concerned
  • recommended steps individuals should take to minimise the impact of the breach.

You must also take reasonable steps to investigate suspected data breaches, generally within 30 days.