The Privacy Series: Data breach response plan

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

Data breach response plan

As bad actors continue to threaten cybersecurity controls, seek out vulnerabilities and perpetuate scams, businesses must be prepared to respond to data breaches – especially as the likelihood of a cyber-attack occurring continues to rise. The Office of the Australian Information Commissioner (OAIC) recently published the 2024 statistics on notifiable data breaches. In 2024, a total of 1,113 data breaches were notified to the regulator and to the public, representing a 25% increase in notifications from the 893 notified in 2023. 

On this, the Australian Privacy Commissioner Carly Kind said, “The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase. Businesses and government agencies need to step up privacy and security measures to keep pace.”

To help marketers be prepared and ready to notify, should their business experience a data breach, this article outlines your obligations under the Notifiable Data Breaches (NDB) scheme, when to report a data breach and how to develop a notifiable data breach plan. We also outline why the NBD scheme is important for marketers to be familiar with and ready to act upon.  

What is the Notifiable Data Breaches scheme?

Forming part of Australia’s privacy framework, the NDB scheme requires entities bound by the Privacy Act to notify affected individuals and the Privacy Commissioner of certain data breaches. It mandates specific actions that APP entities must take when an eligible data breach occurs. 

A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost. An eligible data breach is a data breach that is likely to cause serious harm to any person whose personal information is involved, and where the entity is unable to prevent the likely risk of serious harm with remedial action. If an entity promptly takes steps to remediate the data breach and, as a result, the breach is unlikely to cause serious harm, there is no obligation to notify affected individuals or the Commissioner. It is important to note that whether a data breach is notifiable or not under the NDB Scheme, entities must still respond appropriately to a data breach, and take all other data breach response steps, except for notifying affected individuals and the Privacy Commissioner. 

What is a data breach and when to report one

Simply put, a data breach occurs when an individual’s personal information that is held by an APP organisation or agency is accessed or disclosed without authorisation, or is lost. However, for a data breach to be eligible under the NDB scheme, it must also likely result in serious harm to one or more individuals. ‘Serious harm’ is not defined in the Privacy Act, in the context of a data breach. Examples of serious harm can include physical harm or intimidation, psychological or emotional harm, financial loss through financial fraud or identity theft, or reputational harm. For example, a data breach such as the exposure of a customer loyalty database may lead to serious harm, such as phishing attacks or fraud.  If the organisation experiencing this data breach cannot take steps to prevent the likely risk of serious harm with remedial action, the breach could potentially cause serious harm. When these three criteria occur, the data breach is considered an eligible data breach under the NDB scheme, and affected individuals and the Commissioner must be notified. 

One example that illustrates this is a company that provides resources, education and support in relation to property investment that was found to have interfered with the privacy of individuals when it collected personal information of individuals who were in, or perceived to be in, vulnerable positions, from court lists and databases, for inclusion in their weekly leads lists. The information was collected primarily from publicly available sources (including daily court listings across Australia and/or published death and funeral notices), and identified as ‘distressed properties’ in circumstances where a property owner may be motivated to sell their property below market value as a result of divorce, bankruptcy or a deceased estate. The list was disclosed to participants of the company’s Elite Mentoring Program.

The company was found to have failed to collect the personal information by fair means, take reasonable steps to notify individuals whose information was collected, and to ensure that the information it collected was accurate and up to date.

The company was ordered to immediately cease unfairly collecting personal information of individuals from third parties, destroy their leads lists within 30 days, provide the OAIC with evidence of the action it has taken to address the issues raised, update their privacy policies, and publish a written apology.

For marketers managing personal information, it serves as a timely reminder that if a data breach occurs, having a clear, comprehensive and compliant data breach response plan and acting immediately, is essential to mitigating reputational and regulatory fallout.

How to develop a data breach response plan

While it may sound like a daunting task, developing a data breach response plan is quite straightforward. To develop your plan, simply follow these steps:

1.    Determine applicability - The NDB scheme applies to entities with obligations under the Privacy Act. If your organisation is bound by the Privacy Act, then the NDB scheme applies to you. 

However, it should be noted that the current Privacy Act reforms may alter this applicability. The potential to remove the small business exemption, or reframe how it currently applies, may widen the scope of application of the Privacy Act on Australian businesses – meaning more businesses may be bound by the obligations of the Act. For those businesses, it would be worthwhile to develop a data breach response plan pre-emptively. This way your plan is operational should small business exemption be removed or amended, under the Privacy Act. It also makes good business sense to have a robust data breach response plan, regardless of your legislative obligations.

2.    Identify eligibility – As mentioned above, for a data breach to be considered eligible under the NDB scheme, it must fulfill three criteria: it must be a data breach where personal information is subjected to unauthorised access or disclosure, or loss; the breach must be likely to cause serious harm to any impacted individual; and the entity has been unable to prevent the likely risk of serious harm through remedial action. You have a maximum of 30 days after becoming aware of the data breach, to complete this assessment

3.    Assess suspected breach – If your preliminary assessment determines the breach is eligible, notification obligations are triggered. Evaluating the nature and extent of the breach and determining the potential serious harms to affected individuals will assist in the next steps. 

4.    Notify affected individuals and the OAIC – Prepare a statement that outlines: your organisation’s name and contact details; a description of the eligible data breach; the particular kind or kinds of personal information involved; and recommendations for how affected individuals can protect themselves. 

Next, submit the statement to the OAIC and notify affected individuals directly. Only where direct contact with affected individuals is not possible, publishing the notification via the organisation’s website and publicising it through other appropriate channels is permitted. 

5.    Prevent reoccurrence – Now that a breach has occurred, work on implementing preventative measures to mitigate the risk of future breaches. A rigorous investigation, which seeks to identity the root causes of the data breach, should be initiated for every data breach, whether it is notifiable or not. Remedial actions identified as a result of the root cause analysis should be project managed to completion, to assure no repeats for the same types of data breaches.

For more detailed guidance, refer to the OAIC's Data Breach Preparation and Response guide.

Why data breach response plans are important for marketers

Don’t brush aside the possibility that a data breach will happen, or assume ‘it won’t happen to us’. As the adage goes ‘failing to plan is planning to fail’. For marketers in this context, if you fail to plan for data breaches, then your next campaign might be an apology. Furthermore, the reputation of your brand, which you have worked hard to build alongside customer trust, risks damage too. 

Consumer trust is currently one of the most critical drivers of brand value. While it may be becoming increasingly difficult to avoid a data breach, the response to one is still completely within your control. For this reason, it is so important for marketers to be prepared and ready to respond swiftly and accordingly. Undoubtedly this will help assure impacted individuals and assist in restoring their trust in your brand. Swift and decisive action supports consumer and public confidence in the entity’s ability to manage personal information in accordance with community expectations.

Data breaches are not a matter of if, but when. The most resilient brands are not those that avoid a breach. They are the ones that respond swiftly, transparently and responsibly. Being ready for a data breach does not mean expecting failure. It means being accountable and responsible. In a world where consumer trust is hard-earned and easily lost, marketers who plan ahead and act with integrity will not only mitigate damage, they will stand out, recover faster and build stronger, more trusted brands.

Want to feel confident in your compliance obligations?
To build your skills and future-proof your brand, explore our regulatory course offering including online short courses and our in-depth Privacy and Compliance for Marketers program.