When it comes to data breaches, there is no one-size-fits-all response strategy for your business. Each breach requires a careful assessment of the associated risks, which then informs the appropriate course of action. Depending on the nature of the breach, it may be necessary to support the response team with additional personnel or seek the expertise of external specialists, such as IT specialists or data forensics experts, and human resources advisors.

Recent Developments

With the introduction of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the Act) businesses are facing stricter penalties and enforcement regimes for privacy breaches.

These amendments compel businesses to introspect and re-consider their data breach processes and policies. We believe, now is an opportune time to introduce a new Data Breach Response Plan.

What are the new civil penalty provisions?

Arising from the Federal Government’s announcement, businesses that fail to take the necessary steps to protect their customer data will face significantly higher penalties when a data breach occurs.

The maximum penalties for ‘serious or repeated’ privacy breaches are said to increase from the current $2.22 million to up to $50 million (or three times the benefit of a contravention, or (where the benefit can’t be determined) 30% of domestic turnover. The Act further enforces stronger low-level and mid-tier civil penalties, importantly making entities more vulnerable to pecuniary penalties than before.

So, what is a data breach?

An eligible data breach arises when:

  • there is an unauthorised access and/or disclosure of personal information;
  • the breach is likely to result in serious harm to one or more individuals;
  • the organisation has been unable to prevent the likely risk of serious harm with remedial actions. 

What is considered 'serious harm'?

 ‘Serious harm’ is not presently defined within the Act, therefore OAIC suggests that an objective test be utilised from the
viewpoint of a reasonable person

Some considerations to determine ‘serious harm’ include:


  • the type of personal information involved in the data breach;
  • the circumstances of the data breach;
  • the nature of the harm that may result from the data breach. 

Why do you need a Data Breach Response Plan?

A Data Breach Response Plan outlines the processes necessary to manage a data breach. This can be tailored based on the specific breach, allowing certain steps to be combined or omitted as needed. Moreover, considering the breach’s unique characteristics, additional measures may be appropriate to address the situation effectively.

A Data Breach Response Plan can help:

  • reduce costs for the business and affected individuals;
  • protect the reputational interests of your business;
  • exhibit a business’s effort to take ‘reasonable steps’ in the prevention of a breach.

What should you include in your Data Breach Response Plan?

  • guidance on what a data breach is;
  • guidance on how employees should respond to a data breach;
  • escalation procedures;
  • reporting lines for data breaches;
  • notification to the privacy commissioner and third-party providers;
  •  notification to your insurers.



Our team can assist you with the preparation of a Data Breach Response Plan. If you require assistance or would like further advice in relation to privacy legislation and data breaches, please contact Marissa Dimarco and the team at Dimarco Garland Lawyers.



*This article is not intended to provide legal advice. Please contact our office to discuss your specific circumstances.