Overview: Data security obligations and data security breaches

Types of data

Identifying and classifying types of data or information can be useful in the context of data security to help determine what:

  • legal obligations and rights may apply to the data or information;
  • benefits and risks may arise from its possession or use; and
  • the data or information can be used for, by whom, and in what circumstances.

Where applicable, it may be useful to classify or categorise data or information as:

  • personal information;
  • confidential information and trade secrets;
  • financial data or information;
  • intellectual property; or
  • government official information.

Personal information is defined in the Privacy Act 1988 (Cth) (Privacy Act).

An organisation may have confidentiality obligations to other parties in relation to data or information. It may have trade secrets such as valuable methods or know-how which are a source of competitive advantage.

There is no single, authoritative definition of financial data or information. Financial data or information may be publicly available, or it may be the confidential information of one or more organisations or individuals.

Likewise, there is no single, authoritative definition of intellectual property.

Government official information is information or data created by or relating to government agencies. It may be required to be treated in a particular manner, based on its security classification.

There are four main sources of legal obligations relating to data security:

  • legislation;
  • common law;
  • formal contracts and other forms of legally binding agreements; and
  • government requirements in relation to government official information.

Classifying or categorising data or information as being of a particular nature or type can help to determine the sources of legal obligations that may apply to particular data or information.

Types of breaches

A data security breach may occur as a result of a broad range of causes and in a wide variety of circumstances. A data security breach may be caused by:

  • willful or malicious acts by an organisation or individual conventionally referred to as “a bad actor” or “perpetrator” (eg the deployment of malicious code into another organisation’s or individual’s IT systems or IT devices, theft or willful damage to or destruction of data or IT systems or IT devices on which data is stored); or
  • reckless, negligent or careless acts or omissions by an organisation or person.

A data security breach may be caused by a range of acts or omissions by either employees or contractors within an organisation, or acts by organisations or individuals external to an organisation.

Data security obligations

A data security breach may result in a breach of various legal obligations, including:

  • contractual obligations;
  • a common law duty of care;
  • under the Privacy Act;
  • with respect to confidentiality and trade secrets; and
  • government requirements with respect to privacy, confidentiality, data security of government official information,

depending upon the relevant circumstances.

There are also legal requirements in relation to data retention and destruction.

See Data security obligations.

Consequences to an organisation of the data security breaches

A data security breach could have serious, adverse consequences for an organisation and its stakeholders.

If an organisation is affected by a data security breach, it should consider its potential legal remedies. This usually involves gathering the relevant facts and supporting evidence, identifying the relevant sources of legal obligations, and determining which legal remedies to pursue in relation to the data security breach.

Initiating the exercise of legal remedies usually involves preparing and issuing a letter of demand to the organisation or person believed to have caused the data security breach.