- Get free trial for practice areas as below
- Business
- Consumer
- Corporations
- Criminal
- Employment
- Family
- General Counsel
- Governance
- Immigration
- Intellectual Property
- Personal Injury NSW
- Personal Injury Qld
- Personal Injury Vic
- Personal Property Security
- Property
- Succession
- Work Health & Safety
- Tax
- Mergers & Acquisitions
- Banking & Finance
- Social Justice
- Cybersecurity, Data Protection & Privacy
- Insolvency
- Competition
- Data security
- Service providers, security and data breach notification
Obligations to respond appropriately to data breaches
To determine how to respond to a data security breach, a service provider should determine:
- • what is the nature of the data security breach;
- • what is/are the cause(s) of the data security breach;
- • who is the perpetrator of the breach:
- • who is affected by the data security breach; and
- • what are the potential consequences for the service provider and those affected by the data security breach.
A service provider should have one or more decision-makers (ie a response team) who are responsible for:
- • assessing the nature and cause(s) of a data security breach;
- • who is the perpetrator of the breach;
- • identifying who is affected and what the potential consequences are; and
- • deciding upon an appropriate course of action for the service provider in relation to a data security breach.
It is important for a service provider to first identify the nature of a data security breach, to help it determine and plan an appropriate response.
It is also important for a service provider to identify the cause(s) of a data security breach, to help it determine an appropriate response.
Once a service provider has identified the nature and cause(s) of the data security breach, it can:
- • prepare its response plan; and
- • implement remedial measures to seek to avoid any recurrences of the data security breach.
The nature of a data security breach, eg a breach of the Privacy Act 1988 (Cth) or a breach of a commercial contract in relation to privacy or data security, may require notification to affected parties or regulators within specified periods of time, and may also require a level of cooperation and disclosure in relation to subsequent investigations. See Overview — The data breach notification regime.
It is also important for a service provider to identify the actual and potential consequence(s) of a data security breach.
Promptly upon becoming aware of a data security breach, a service provider should ensure that key internal stakeholders are:
- • alerted to the occurrence of the data security breach; and
- • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.
There is a range of issues for a service provider to consider when responding to a data security breach where the service provider is at fault, including breach notification requirements and communications with affected parties.
There is also a range of issues for a service provider to consider when it is affected by a data security breach by another organisation.
See Obligations to respond appropriately to data breaches.
