Bell & Senior Logo

What should I do if my business suffers a data breach?

Cyber Risk

When a data breach occurs, the clock starts immediately. You have legal obligations that must be met within strict timeframes, and every hour of delay can increase both your legal liability and reputational damage.

1. The First 24-72 Hours

The initial response is critical. You should:

  • Contain the breach immediately. Isolate affected systems, disable compromised accounts, and preserve evidence for forensic analysis.
  • Engage legal counsel. A lawyer experienced in cyber incidents can advise on your notification obligations and help protect privilege over incident communications.
  • Engage forensic IT specialists. You need to understand what data was accessed, how the breach occurred, and whether attackers still have access.
  • Do not pay ransom without legal advice. Ransomware payments have complex legal implications and may be illegal in certain circumstances.

2. The Notifiable Data Breaches Scheme

Under the Privacy Act 1988 (Cth), if a data breach is likely to result in “serious harm” to any individual whose data was affected, you must:

  • Notify the Office of the Australian Information Commissioner (OAIC) using the prescribed notification form.
  • Notify affected individuals directly, explaining what happened, what data was affected, and what steps they should take (such as changing passwords or monitoring for identity theft).
  • Complete notification within 30 days of becoming aware of the breach, or as soon as practicable.

3. Who Must Comply?

The NDB scheme applies to:

  • Businesses with annual turnover exceeding $3 million.
  • Health service providers (regardless of turnover).
  • Businesses that buy or sell personal information.
  • Credit reporting bodies and tax file number recipients.
  • Government agencies under the Privacy Act.

Even if you are below these thresholds, a data breach can expose you to claims under contract, negligence, or consumer protection law.

4. Penalties for Non-Compliance

Failure to notify a notifiable data breach can result in civil penalties of up to $50 million for serious or repeated interferences with privacy (for bodies corporate).

Immediate Assistance

If your business has suffered a data breach, time is critical. We provide rapid-response legal counsel to help you contain the incident, meet your regulatory obligations, and protect your business.

Breach in progress? Contact Bell & Senior immediately. Call (07) 5532 8777.

Previous Question How do I manage the legal risks of using Artificial Intelligence (AI)? Next Question How do I spot a scam email or text message?
← Back to Technology