Important note
This information is part of our broader privacy program. You can learn more in our Privacy Program overview.
The Notifiable Data Breaches (NDB) scheme requires entities to notify the OAIC and affected individuals when an 'eligible data breach' occurs.[1]
Effective breach response requires preparation before a breach occurs.
[1]Privacy Act 1988 (Cth), Part IIIC (Notification of eligible data breaches), ss 26WE-26WK.
What is an eligible data breach?
An eligible data breach occurs when:[2]
- There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity; and
- A reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
'Serious harm' includes serious physical, psychological, emotional, financial, or reputational harm. Factors relevant to assessing serious harm include:
- the kind and sensitivity of the information (identity documents, financial information);
- whether the information is protected by security measures (encryption);
- the persons who have obtained or could obtain the information;
- whether the information could be used for identity fraud, financial fraud, or other harm.
The OAIC website has some useful decision trees and checklists to assist in this decision. One of the services available under the QLS Cyber Essentials cyber insurance policy is forensic analysis and expert advice to determine how serious a breach is and whether you have a notification obligation.
Remember: if your firm has a turnover below $3M, the NDB scheme only applies if information collected for AML/CTF purposes is suspected to have been lost – however, our fiduciary and ethical obligations will usually require modified disclosure to the affected parties even if the NDB scheme does not.
[2]Privacy Act 1988 (Cth), s 26WE (meaning of eligible data breach).
Law firm context: risk of serious harm
Given the sensitivity of information typically held by law firms — including identity documents, financial details, and confidential legal communications — many data breaches affecting client information are likely to meet the 'serious harm' threshold. Err on the side of treating breaches as notifiable unless clearly low risk.
An example of a low-risk event: an email containing confidential client information is sent to another firm accidentally. The firm agrees to delete the information. You inform your client of the event but may reasonably conclude that no serious harm is likely.
An example of a high-risk event: a conveyancer’s email account is compromised and attempts to divert funds were unsuccessful. On forensic analysis, it appears that several months’ worth of emails have been copied. Despite the fact that the attacker’s primary objective seems to be funds diversion, it is quite possible that confidential data will be sold. It is likely that this is an NDB event.
The four-step response process
The OAIC recommends a four-step approach to breach response.
The template Data Breach Response Plan provides a basic plan following this framework.
Step | Action | Key Activities |
Step 1 | Contain | Stop the breach; limit damage; preserve evidence; secure systems; isolate affected data or accounts |
Step 2 | Assess | Investigate what happened; identify affected information and individuals; assess likelihood of serious harm; document findings (within 30 days if breach suspected) |
Step 3 | Notify | If eligible data breach: notify OAIC using online form; notify affected individuals |
Step 4 | Review | Conduct post-incident review; identify root cause; implement improvements; update breach response plan; document lessons learned |
The 30-Day Assessment Period
When an entity has reasonable grounds to suspect an eligible data breach may have occurred, it must complete an assessment within 30 days.[3] That is a maximum period. The 30-day period begins when the suspicion arises.
The assessment must determine whether the breach is an 'eligible data breach' — that is, whether serious harm is likely. If the assessment is not completed within 30 days, the breach is deemed to be an eligible data breach and notification is required.[4]
[3]Privacy Act 1988 (Cth), s 26WH (assessment of suspected eligible data breach — 30 day period).
[4]Part 4: Notifiable Data Breach (NDB) Scheme | OAIC
Notification Requirements
If a breach is an eligible data breach, notification must be provided as soon as practicable.
Notification to the OAIC
The statement to the OAIC must include:[5]
- your firm name, trading entity and contact details;
- a description of the breach;
- the kinds of information involved;
- recommendations about steps individuals should take.
Notification is made via the OAIC's online Notifiable Data Breach form.
Notification to individuals
Affected individuals must be notified with:[6]
- a description of the breach;
- the kinds of information involved;
- recommendations about steps they should take (e.g., monitor accounts, change passwords, contact IDCARE);
- If a client, a recommendation that they seek appropriate legal and other advice. If direct notification is not practicable (e.g., contact details not available), substitute notification may be appropriate — such as publishing a notice on the firm's website and taking other reasonable steps to publicise the breach.
You should speak to your insurer to review policy obligations as part of this disclosure and notification process.
[5]Privacy Act 1988 (Cth), s 26WK (contents of statement to Commissioner about eligible data breach).
[6]Privacy Act 1988 (Cth), s 26WL (notification to individuals about eligible data breach).
Professional and Confidentiality Considerations
A data breach at a law firm raises additional considerations beyond the NDB scheme:
Professional obligations: A breach involving client data is likely to engage obligations under the Australian Solicitors' Conduct Rules and fiduciary duties to clients. As a general proposition, a solicitor who has made an error adversely affecting client interests must disclose this client promptly, frankly and in sufficient detail for the client to make informed decisions.[7]
Affected clients should be notified as a matter of professional conduct (regardless of NDB requirements) once it has been established that client data has been lost.
Insurance: Professional indemnity insurance may be triggered by a data breach. Notify your insurer promptly. QLS Member firms may be eligible for assistance from the Cyber Essentials cybersecurity group policy.
Suspicious matter reports: If the breach relates to AML/CTF records, be mindful of the tipping off prohibition — do not disclose the existence of any suspicious matter reports in breach notifications.[8] Similarly, client details and especially privileged content must be protected. It would be unusual for the OAIC to need access to material which would disclose either of these things.
Other stakeholders: opposing parties must be advised if their client’s confidentiality has been compromised.
Access undertakings that may have been given to gain access to family court or other restricted subpoena material, and a term of this undertaking usually requires notification to the Court as soon as possible.
Similarly, participation rules/subscriber agreements for electronic conveyancing or other e-commerce providers such as Court portals or banking may require notification of incidents.
[7]Australian Solicitors' Conduct Rules 2012 (Qld), r 9.1 (confidentiality) and r 13.1 (competence and diligence).
[8]Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), s 123 (offence — tipping off about suspicious matter reports).
Using your breach response plan
In case of a more serious incident, it is strongly encouraged that you obtain expert advice (using the Cyber Essentials QLS Member Insurance if available.)
Having a plan is the foundation requirement for Privacy regulated entities. However, there are also number of key things to work through that can greatly reduce the cost and impact of a cybersecurity incident. For example:
- What should staff do if the Principal is not available?
- Who will you turn to for assistance?
- How will you triage urgent work and critical dates if your system is down?
- How will you communicate with clients?
- Does your system create logs that can be used to quickly establish what happened and whether data has been accessed?
- When did you last test that your backups are working? (Not just that it seems to be working, but that you are getting usable copies that can be restored quickly.)