What are the penalties for failing to report a data breach in Australia?
Technology LawThe Australian legal framework for privacy and data security has shifted from a period of “soft compliance” to active enforcement. There are three primary levels of civil penalty that the OAIC can seek via the courts.
1. Serious or Repeated Interferences with Privacy
Under section 13G of the Privacy Act 1988 (Cth), the maximum penalty for a serious or repeated interference with privacy is the greatest of:
- $50 million;
- Three times the value of the benefit obtained from the contravention; or
- If the court cannot determine the benefit, 30% of the entity’s adjusted turnover during the relevant period.
2. Mid-Tier Civil Penalties
The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced new mid-tier civil penalties. These apply to less serious contraventions such as failing to maintain a compliant privacy policy, not responding correctly to an access request, or failing to have a written data breach response plan. The maximum penalty for a body corporate is $330,000 per contravention.
3. Low-Tier Infringement Notices
For administrative and lower-level failures, the OAIC now has the power to issue “on-the-spot” infringement notices. These fines can reach up to $66,000 per notice for a body corporate.
4. Cyber Security Act 2024 Penalties
Failure to report a ransomware or cyber extortion payment under the Cyber Security Act 2024 (Cth) is a separate offence. This carries a civil penalty of 60 penalty units, which is approximately $99,000 for a body corporate as of early 2025.
Related Topics
- Does the NDB Scheme Apply to My Business?
- NDB Scheme Checklist for QLD Business
- Commercial Law Practice Area
[!WARNING] Don’t Risk Regulatory Enforcement With the new tiered civil penalty framework, administrative oversights, like failing to maintain a data breach response plan, can now cost your business up to $330,000.
Contact our Gold Coast cyber security lawyers today to audit your privacy compliance and establish a robust incident response strategy before a breach occurs.
Read our Complete Startup Legal Guide for Queensland
Need Specific Legal Advice?
The answers above are general. For advice tailored to your specific situation, contact our Southport solicitors today.
Enquiry Sent
Thank you. Our team will contact you shortly.