Overview: Commercial considerations

Data breach notification obligations in commercial contracts

When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.

Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.

Obligations under corporations’ law

There are various obligations under corporations law that may arise in the context of cybersecurity and data breaches. Directors and officers have a duty of care and diligence which extends to understanding their company's cybersecurity strategy and obligations under privacy law. In addition, listed entities have a continuous disclosure obligation to inform the market if a data breach may have a material effect on the price or value of their shares. Obligations will vary depending on the type of entity involved in a data breach.

Other commercial considerations

Entities which have cybersecurity insurance should adequately document evidence surrounding data breaches so that they can disclose it to an insurer when making a claim. In addition, it is important to retain evidence of cybersecurity incidents as it may be required in an audit or due diligence.