What is a data breach?
A data breach (Data Breach) has been defined by the Office of the Australian Information Commissioner (OAIC) in its guide to developing a data breach response plan as occurring when:
“personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure or other misuse”.
Broadly, a Data Breach can also be described as an interference with the privacy of an individual. An eligible Data Breach occurs when:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
What steps must be taken when there has been a suspected Data Breach?
If there are reasonable grounds to believe that there may have been an eligible Data Breach, an eligible entity (APP Entity) must:
- carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that there has been a Data Breach; and
- take all reasonable steps to have the assessment completed within 30 days after the entity becomes aware of the suspected Data Breach.
How to minimise the risk of a serious breach
Certain preventive measures can be taken by businesses to reduce the risk of a breach being a serious breach, including:
- protecting the information/data that is stored by one or more security measures that are not likely to be overcome;
- using a security technology or methodology designed to make the information unintelligible or meaningless to persons not authorised to obtain the information; and
- ensuring that if the unauthorised information was obtained, it would be unlikely that the unauthorised persons would also be able to circumvent the security technology or methodology that had been put in place.
What is a Data Breach Response Plan?
Whilst the phrase Data Breach Response Plan is descriptive of its anticipated contents, the OAIC has defined the term to mean:
“A data breach response plan is one tool to help you manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken by an entity in managing a breach if one occurs”.
To assist with managing a Data Breach, the OAIC has prepared the following two (2) guides:
- guide to developing a data breach response plan; and
- data breach notification — A guide to handling personal information security breaches.
The benefits of having a Data Breach Response Plan
A Data Breach Response Plan may:
- reduce the cost of the data breach to your organisation (Note: According to the 2017 Ponemon Institute Report, the Cost of Data Breach Study, the average cost of a data breach to an Australian organisation is $141 per record);
- reduce the average cost of a data breach by around 10% (Note: Actions within the first 24 hours can greatly reduce the damage done to affected individuals);
- limit your legal liability to the affected individuals and under the Privacy Act;
- assist in remedying a breach before it becomes an eligible data breach requiring notification of the OAIC and affected individuals;
- limit the damage to your business reputation; and
- minimise the likelihood of receiving a penalty.
Videos about data breach compliance by Dundas Lawyers®
Disclaimer
This page contains general commentary only about data breach compliance, you should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Why choose Dundas Lawyers® to advise your business on a suspected Data Breach?
Having exerted Blood Sweat and Years® since April 2010 we are the team you want on your side for the long term to act as the ‘bodyguard’ for your business, to ensure you comply with the Privacy Act and act fast in the case of a suspected data breach. Some of the reasons client’s choose Dundas Lawyers® include:
- our Uncommon business acumen;
- our Uncommon expertise in transactional, compliance and litigious matters;
- our Uncommon expertise technology law;
- our Uncommon customer focus;
- the fact that we don’t just know law, we know business!
- how we leverage our Uncommon Nous® to provide client solutions.
Considering getting a lawyer to advise your business on a suspected data breach?
For a confidential, no obligation initial telephone call to find out how we can help your business in addressing a suspected data breach please phone our team on either 1300 386 529 or 07 3221 0013.

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au

Alternatively complete the form below and we will respond to your inquiry within one (1) business day from the moment you press Submit!
Data breach compliance enquiry
Legislation
- Privacy Act 1988 (Cth)
- Privacy Regulation 2013 (Cth)
- Competition and Consumer Act 2010 (Cth)
- Competition and Consumer Regulations 2010 (Cth)
Guidance by the OAIC:
- guide to developing a data breach response plan; and
- data breach notification — A guide to handling personal information security breaches.
Recent insights about data breaches
-

Dundas Lawyers achieves SMB1001 gold level cyber security certification
On 14 November 2025 Dundas Lawyers achieved the Gold level of the SMB1001 cybersecurity standard.
-

Aust Clinical Labs fined $5.8mil for failing to report data breach
On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL). Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach. This…
-

Federal Government publishes 102-page AI Technical Standard
On 31 July 2025, the Australian Government’s Digital Transformation Agency (DTA) published a 102-page AI Technical Standard (AI Standard) to promote responsible AI use by public sector entities and their staff (Entities). In a media release, DTA’s General Manager Lucy Poole explained that the AI Standard is “designed to integrate with what agencies already do”…
-

What is the US Take It Down Act?
The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…
-

Federal parliament enacts cyber security legislation
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-

Uber found in breach of Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-

Overview of the Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-

De-encryption laws: compelling tech giants to cooperate with law enforcement
The Australian Government is introducing encryption-related legislation that could have significant implications. Get the full scoop on what this Bill could mean for companies and citizens before it is officially announced.
Recent Federal Court decisions regarding data breaches
-
Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92
CORPORATIONS – Financial services licence – ASIC sought declaration under s 1317E(1) of the Corporations Act 2001 (Cth) (Corporations Act) in respect of admitted contraventions of s 912A of the Corporations Act – ASIC sought orders imposing a pecuniary penalty in an agreed sum – where defendant was subject to a cyber attack as a…
-
Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224
PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1)…
-
Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224
PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1)…












