Data Breach Management

Data Breach Management


Privacy 108 offers a comprehensive suite of privacy legal and consulting services, delivered by our team of privacy and security experts, to help establish or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach.

Breaches in security can happen and in our experience it is often the way that a breach is handled that has the most long term impact, rather than the breach itself.

Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement and testing assistance you need.

Our data breach management services include:

  • Developing an information security incident response capability;
  • Preparing a data breach response plan;
  • Testing and training staff in your incident response;
  • Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;
  • Keeping you up-to-date with new or changing data breach notification obligations;
  • Providing a legal opinion on your data breach notification obligations;
  • Participating in or leading the post-incident review process.

Our team of lawyers and security experts can support you through any organisational data breach with a view to resolving it as quickly as possible, while ensuring that any damage or loss to both affected individuals and your organisation is minimised.

From the initial attack through to ongoing communications with stakeholders, our team works closely with you to evaluate and understand the full context of the breach and ensure the most efficient and effective response that mitigates harm.


Before a breach: Getting your data breach plan in place

To help ensure the right people, processes and systems are in place, our team will work with you to develop an information security incident and data breach response plan, tailored for your organisation.

Our approach involves discussions with all stakeholders, review of relevant organisational policies and procedures and familiarising ourselves with existing systems to make sure the information security incident and data breach response we create aligns to your culture and is fit for purpose for your organisation.

We are familiar with and typically incorporate the leading incident response and data breach standards in our plans. This might include:


Training and testing your plan

We are also expert in training and testing (including desktop drilss). We can devise interactive workshops to test your team’s ability to respond to an information security incident or data breach in accordance with the plan.

Testing a plan provides you with the reassurance that your team is able to work together and implement the plan in the case of a data breach.  It also will help you identify any issues you might have, before the test is used in a real-world environment.


After a breach: Managing your data breach response.

We advise how you should respond to data breaches including the notification of customers and regulators, and quantification of loss.

Our services in supporting you after a breach include:

  • Providing a legal opinion on your notification obligations, including consideration of potential harm and mitigation efforts;
  • Participating as part of your breach response team;
  • Developing a communication plan that reaches all affected audiences – employees, customers, investors, business partners and other stakeholders.
  • Liaising with regulators, insurers and other third-parties;
  • Reviewing and recommending responses to affected individuals as part of the breach response;
  • Collecting evidence relating to the breach in a forensically appropriate manner


Stay up to date

Data breach laws are changing: new laws are being introduced and existing laws are being updated.

We will make sure you stay up to date with all your data breach notification obligations.

Our privacy and security team track data privacy and security regulations as they evolve both in Australia and internationally so we can help our clients develop the capabilities required to fulfill the needs of customers throughout APAC and the rest of the world, in accordance with all the latest and most up to date requirements.

Data Breach Management FAQ’s

What is a data breach?

A data breach is typically defined as any unauthorised access to or disclosure or loss of personal information.  In Australia, ‘eligible data breaches’ are subject to mandatory reporting requirements under the Privacy Act There are also mandatory notification obligations for organisations covered by Australia’s security of critical infrastructure legislation.

Our team can help you determine whether you’ve had an eligible data breach and what your reporting obligations might be.

We are also familiar with and can support you meeting your data breach notification obligations in other jurisdictions – including the UK, the EU, China and the USA.

What should be included in a data breach notification?

When deciding what to include in a data breach notice, our team will work with you to assess the following:

  • All relevant data breach notification obligations;
  • the nature of the compromise
  • the type of information taken
  • the likelihood of misuse
  • the potential harm if the information is misused.

Breach notification laws typically specify what information must, or must not, be include in the breach notice. In general, the information to be included in the notice might include:

  • Clearly describe the incident. This might Include:
    • how it happened
    • what information was taken
    • how the information has been used (if that is known);
    • what actions you have taken to remedy the situation
    • what actions you are taking to protect individuals, such as offering free credit monitoring services
    • how to reach the relevant contacts in your organization
  • Tell people what steps they can take, given the type of information exposed, and provide relevant contact information for example for banks, passport authorities etc.
  • Describe how you’ll contact people in the future. For example, if you’ll only contact consumers by mail, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information.

What are some of the other considerations in your data breach plan?

In addition to understanding your legal obligations, there are other important considerations in putting together your data breach response plan:

  • Consider contacting law enforcement: Depending on the type of breach it might be appropriate to involve law enforcement or other government agencies, like the Australian Cyber Security Centre.
  • Single point of contact: A point person within your organization should be designated for releasing That contact person should then receive the latest information about the breach, your response, and how individuals should respond.
  • Form of response: Consider using letters, websites, and toll-free numbers to communicate with people whose information may have been compromised. If you don’t have contact information for all of the affected individuals, you can build an extensive public relations campaign into your communications plan, including press releases or other news media notification.
  • Compensation: Consider offering at least a year of free credit monitoring or other supportsuch as identity theft protection or identity restoration services, particularly if financial information or Social Security numbers were exposed. When such information is exposed, thieves may use it to open new accounts.

What is involved in developing a data breach communication plan?

Our team can create a comprehensive communication plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. The plan will make sure that you don’t make misleading statements about the breach. And don’t withhold key details that might help your customers or other affected individual protect themselves and their information. Also, it will help ensure you do not publicly share information that might put consumers at further risk.

We can also help you anticipate questions that people will ask and make sure you have the answers.  This enables you to put top-tier questions and clear, plain-language answers on your website where they are easy to find. Good communication up front can limit customers’ concerns and frustration, saving your company time and money later.

Who are Privacy 108?

Privacy108 is owned and led by one of Australia’s leading security and privacy professionals, Dr Jodie Siganto. The Privacy108 team includes lawyers, consultants and trainers who between them hold many years of experience in delivering privacy and security solutions for Australian organisations.

We have worked as in-house counsel and senior executives, and understand the pressures faced by executives, CISOs, Chief Privacy Officers, procurement teams and in-house lawyers. Our team’s industry experience is complemented by extensive legal knowledge and a desire to assist our clients with high quality practical advice.

Contact Us

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.