If you’re running an eCommerce business, or your business stores information online, it’s important to know the legals around data privacy and IP protection. Even where businesses take the right steps to protect their data, some breaches are out of our control. 

So, your business should be prepared for these unideal situations. 

One of the key terms to be aware of is a Notifiable Data Breach

Notifiable Data Breaches are data breaches that are likely to cause ‘serious harm’. When this happens, the business falls under an obligation to notify people who are likely to be affected

This generally applies to businesses to which the Privacy Act 1988 applies (if your business has an annual turnover of more than $3 million). 

Let’s go into a little more detail about what this means for your online business. 

What Is The Notifiable Data Breaches Scheme?

The Notifiable Data Breaches Scheme provides that any organisation that the Privacy Act applies to must inform individuals and the OAIC when a data breach occurs, and it is likely to result in serious harm. 

This is usually the case where the data breach has affected personal or sensitive information. So, this might include customers’ personal data like their name or phone number. 

What Is Considered ‘Serious Harm’?

‘Serious harm’ is a broad term, but according to OAIC, it can include the following:

  • Identity theft (this might involve financial information)
  • Financial loss by way of fraud
  • Risk of physical harm
  • Risk of serious psychological harm
  • Serious harm to an individual’s reputation

OAIC also provides that businesses will have 30 days to determine whether a relevant data breach is likely to cause serious harm. 

There Has Been A Data Breach – What Do I Do?

Let’s say your business has experienced a data breach – but don’t panic! What’s important is that you take the right steps to notify the affected parties. 

First, you want to notify OAIC. You’ll need to fill out a form which allows you to report a data breach. 

Then, you’ll want to notify individuals who might suffer ‘serious harm’ as a result of this data breach. 

How Do I Notify Individuals About A Data Breach?

When it comes to individuals (this includes any third parties or customers), you may want to contact them through emails, text messages or phone calls. You will need to include the following details in the notification:

  • Your organisation’s name and contact details
  • The personal information that was breached
  • A description of the breach
  • Steps you can take in response (this should form part of a Data Breach Response Plan, which we’ll cover in more detail shortly). 

Generally, however, there are 3 options for notifying affected parties:

  1. Notify all affected individuals
  2. Only notify those at a risk of serious harm
  3. If option 1 and 2 are not feasible, provide a public statement by the business

How Do I Respond To A Data Breach?

Businesses should always take the right measures and precautions to ensure they don’t end up in messy situations like these. But unfortunately, things don’t always go as planned and might be out of your control. 

This is why you should always mitigate risks from the outset, and have the right policies in place. This way, when things get complicated, you’ll have a clear process for people to follow and minimise any risk of damage or loss. 

Data Breach Response Plan

If the Privacy Act applies to your business, it’s essential that you have a good Data Breach Response Plan. This written plan should outline the roles and responsibilities of relevant parties where a data breach has occurred. 

It should also be easily accessible for your staff. 

Put simply, a Data Breach Response Plan will set out the process to be followed where there has been a data breach. For example, who is responsible for containing the data? How will you notify the affected individuals? How will you notify OAIC? 

What Are The Civil Penalties For A Data Breach?

If your business suffers a data breach and you fail to comply with the notification requirements set out above, you could be facing fines of up to $2.1 million in addition to compensation for affected individuals.

Furthermore, it could be very difficult to rebuild the transparency and relationship of trust you share with your customers. This is why it’s important to be proactive and prevent the risk of any data breach from the outset.

How Can I Protect My Data And IP?

We’ve covered the steps you can take to respond to a breach, but how can you try to minimise that risk from the beginning?

All businesses should invest in a good cyber security system to avoid any breaches. The following list is a good place to start:

  • Update your systems regularly – this might involve changing passwords or updating your authentication process
  • Monitor your employees’ (and contractors’) access to your systems and data
  • Build a strong Cyber Security System
  • Include Non-Compete Clauses in your contracts
  • Include Confidentiality Clauses in your contracts
  • Train employees about cyber security and your internal policies around data protection

Need Help With A Data Breach Notification?

If your business has experienced a data breach, and you need to inform relevant parties, Sprintlaw has a team of lawyers who can help you draft the right data breach notification for you. It will include the right details for your business and information around the nature of the breach itself. 

You can reach out to us for a free, no-obligations chat at team@sprintlaw.com.au or 1800 730 617.

Rowan Gardoce
Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0
(based on Google Reviews)
Have a question?
Get your FREE quote now.

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.