top of page

BlackBay Insights

  • Writer's pictureClaudia McDonnell

What are your legal obligations if your business has a data breach?

The Government has just unveiled its half a billion-dollar plan to crack down on the escalating threat of cybercrime in Australia. Cybersecurity has taken centre stage on the Government’s agenda driven by the alarming increase in cyber threats, with one reported attack occurring approximately every six minutes in Australia.

Small businesses have been particularly hard-hit, experiencing significant losses, with an average of $100,000 lost for each report cyber attack.

Over the past year, news headlines have been dominated by high-stakes cyberattacks, resulting in critical infrastructure disruptions, office closures, and the theft of millions of individuals' confidential data.

Most recently, a multinational logistics company was forced to shut down four ports responsible for 40% of Australia’s imports and exports after cyber criminals hacked their systems.

Prominent organisations such as Medibank, Optus, and HWL Ebsworth have faced significant attacks.

The HWL Ebsworth cyber attack, in particular, underscores the staggering volume of sensitive data that has been exposed on the dark web as a result of these breaches.

  • Hackers stole 2.5 million documents and published 1 million of them on the dark web.

  • Hackers demanded a $5 million ransom for return of the documents and but HWL refused to pay the ransom.

  • 65 Government agencies were affected by the breach and had highly sensitive data exposed to the public.

  • 16 AFP officials were at risk of serious harm as a result of the breach which exposed their names and personal phone numbers.

  • Many of the breached documents were subject to legal privilege and could compromise court proceedings that are currently on foot.

While the damage caused from a hack on a top tier firm was especially mammoth, it does not mean small businesses are less of a target for cyber criminals.

Why target small businesses?

Organisations such as professional services firms are also targeted because they handle important, sensitive information, they rely heavily on emails and often deal with hundreds of different stakeholders and clients. This creates opportunities for social engineering attacks that impersonate a client or stakeholder, and they are often boutique practices with limited IT departments or cybersecurity resources to support protection measures.

For many businesses, mitigating their cyber security risk may not be high up on their priority list because they have not experienced a cyber-attack. However, the Government’s new cyber security regime demonstrates the serious risk associated with cyber incidents for individuals and businesses.

The harm caused by an attack extends beyond just the reputational damage, but could expose you to legal claims from clients, customers or third parties under the Privacy Act 1988 and regulatory bodies.

What are the obligations for businesses?


If the Agreement between the business and the client says you will keep client’s data confidential, the obligation isn’t merely a matter of noting chatting about the client outside the purpose or context of disclosure but requires that to the extent that it is reasonable, you will maintain the privacy of the client’s confidential information and store relevant data in a way that protects their information.

Further, parties to contractual arrangements may insist on contractual provisions for high or higher level security provisions to be implemented (as is often the case with Governmental parties or high profile clients or customers) and the contracts may contain provisions that a failure to comply with the privacy, security and/or confidentiality requirements amounts to a fundamental breach of the terms warranting termination or some other remedy or relief.

Australian Consumer Law

Potential liability can arise under section 18 of the Australian Consumer Law which provides that a person must not, in trade or commerce, engage in conduct that is misleading or deceptive or likely to mislead or deceive. If a businesses or organisation represents itself as more secure than it is, they may be caught by Section 18.

Privacy Act 1988

Regardless of size or structure, organisations to which any of the following conditions apply, which may include sole practitioners, or incorporated companies, have responsibilities under the Privacy Act 1988:

  • Have an annual turnover in excess of $3 million

  • Hold tax file numbers (TFN) of individuals

  • Hold health information about an individual and are deemed to be providing a ‘health service’ (See sections 6 and 6C of the Privacy Act)

These eligible organisations have legal obligations to ensure that any personal information it collects and holds, whether of a client or third party, is protected from unauthorised access, disclosure and loss.

Notification of a Data Breach

An eligible organisation must notify affected individuals and the Office of Information Commissioner when they suspect they have experienced a data breach involving the disclosure of personal information. Specifically, if there has been:

  • unauthorised access to, or unauthorised disclosure of, the information; and

  • A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

Personal information’ is defined as information or an opinion about an identified individual, or individual who is reasonably identifiable:

  • Whether the information or opinion is true or not; and

  • Whether the information or opinion is recorded in a material form or not.

Some examples of personal information include:

  • a person’s name

  • home address

  • birth date

  • email address

  • telephone number

  • TFN

  • Signature

  • employment details

  • payment details

File notes or emails about a client could be deemed personal information as it may be interpreted as an “opinion”.

It is important to note that these obligations apply irrespective of whether the information is publicly available or not. For example, even though an individuals’ name, birth date and email address may be available on their Facebook page, organisations must still ensure that if they hold this data on their systems, it is held securely as it is still considered ‘personal information’.

At BlackBay Lawyers, we are committed to partnering with you in navigating the dynamic landscape of cybersecurity and data breaches. Our team of Privacy and Media experts collaborates closely with organizations to proactively manage their cybersecurity risks and ensure compliance with regulatory frameworks. This strategic approach aims to minimize legal repercussions and safeguard against potential damage to their reputation.

We are well aware of the intense media scrutiny that often follows a data breach or cyberattack on an organisation. To address this, our specialized Reputational Risk team provides guidance and support to both individuals and businesses in effectively responding to and mitigating the impact of reputational harm.


bottom of page