Data breach response in Australia: call a lawyer before your IT vendor

Introduction

When the breach hits, you want your lawyer on the line before your IT vendor. Data breach response in Australia begins with a legal decision, not a technical one. The instinct when a breach is discovered is to call the IT provider and get the systems back up. That instinct is understandable, and the technical recovery does matter. But the decisions that follow in the first hours (who is told, what is written down, what is preserved, and how the situation is framed to a regulator) are legal decisions with commercial consequences. They are easier to get right when a lawyer is directing the response from the start.

The case for putting legal at the front of a breach is straightforward. When forensic investigation work is properly scoped under a breach-coach retainer, with the lawyer directing it for the dominant purpose of giving legal advice, legal professional privilege can attach to the work-product. That can help protect sensitive findings from later disclosure to regulators and in litigation. Privilege is not automatic and it is not guaranteed; it has to be set up correctly at the outset, and whether it holds for a particular forensic engagement is fact-dependent and can be tested by a court. Setting it up properly before anyone else starts producing reports is part of the value of having the lawyer involved first.

Why the legal frame should lead

Three things shape the first hours of a breach, and all three are improved when a lawyer leads.

Privilege over the work-product

A forensic report commissioned directly by the business, for operational reasons, will often not be privileged. The same investigation, scoped and directed by the lawyer, has a much better prospect of attracting privilege over the findings. The setup is what makes the difference, and it has to be in place from the first call.

Evidence and decision-making

Early in an incident the facts are uncertain and the temptation is to speculate in writing. A lawyer keeps the record disciplined: what is known, what is assessed, what is being investigated. That discipline protects the business if the matter is later examined by the OAIC or a court.

The regulator narrative

How a breach is characterised, when it is reported, and what is said to affected individuals all carry legal weight. Getting the framing right from the outset is far easier than correcting it later.

The first hours and who does what

A well-run response is a small, coordinated team with clear roles.

• The lawyer runs the response, scopes the forensic engagement, advises on notification obligations, manages communications with the regulator and insurer, and works to preserve the privilege position over the work-product.
• The forensic and IT providers contain the incident, preserve evidence and establish what happened. Where appropriate, that work runs through the forensic provider as agent of the lawyer, which supports the privilege position over the work-product.
• The business makes the commercial calls, with legal advice, and keeps a tight internal communication discipline so the record stays accurate.

The single most useful thing an organisation can do is decide, before any incident, who its breach coach is. The first call is much shorter when the relationship already exists.

Notifiable data breach: what to do

Australia’s Notifiable Data Breaches scheme, in Part IIIC of the Privacy Act, sits at the centre of breach response. An eligible data breach is unauthorised access to or disclosure of personal information, or loss of personal information, that is likely to result in serious harm to an affected individual.

If a breach is an eligible data breach, the entity must notify the OAIC and the affected individuals as soon as practicable after it becomes aware. Where there are reasonable grounds to suspect an eligible breach but the entity is not yet sure, it must carry out a reasonable and expeditious assessment, generally within 30 days, to decide whether the threshold is met.

The serious-harm test is a judgement, and it is a legal one. It turns on the kind of information involved, who accessed it, and whether remedial action has reduced the risk. Health and finance are consistently among the top reporting sectors, which reflects the sensitivity of the information those organisations hold. Getting the assessment right, and documenting the reasoning, is exactly the kind of work that benefits from a lawyer’s involvement. It also feeds the board oversight that directors are increasingly expected to demonstrate, a point we develop in our piece on the privacy reforms boards need on the cyber radar.

Coordinating insurers and forensic providers

Most cyber policies require early notification and often nominate panel providers. A breach coach can work within those requirements while keeping the legal architecture intact, including running the forensic engagement through the provider as agent of the lawyer where that is appropriate.

Coordinating the insurer, the forensic team and the legal response from one point keeps the timeline coherent and avoids the gaps that appear when each party works in isolation. Engaging the forensic firm through the lawyer, rather than directly, is what keeps that work inside the legal-advice purpose; a report the insurer commissions directly sits outside it. A breach coach makes the panel work without breaking that line.

The 72-hour ransomware reporting obligation

If the incident involves ransomware or cyber extortion, a separate obligation may apply. Under the Cyber Security Act 2024, Australia’s first standalone cyber security law, mandatory ransomware and cyber-extortion payment reporting has been in effect since 30 May 2025.

A reporting business entity, broadly one carrying on business in Australia with annual turnover of $3 million or more in the last financial year, and responsible entities for critical infrastructure assets, must report a ransomware or extortion payment made by them or on their behalf within 72 hours to the Department of Home Affairs and the Australian Signals Directorate. The Act also introduces a limited-use protection for information given to the National Cyber Security Coordinator and ASD, which is designed to encourage engagement; that protection sits alongside, rather than removes, the mandatory payment report itself. Failure to report can attract civil penalties.

The decision whether to pay at all is a separate legal question that should never be made without advice, including sanctions screening. We cover that in detail in our article on mandatory ransomware payment reporting.

Common mistakes

A few patterns recur, and each is avoidable.

• Calling forensics before the lawyer: It can compromise privilege over the report that follows.
• Speculating in writing: A loose early record can later be read against the business.
• Treating the matter as purely technical: That misses the director-duty and governance dimension.
• Having no plan: The first hours are then spent working out who to call rather than acting.

How GRM LAW helps

GRM LAW is a Brisbane firm acting as breach coach for businesses across Australia, and we run breach response around the legal frame from the first call. Through our Breach + Drill Subscription, we hold a breach-coach retainer, keep a plain-English incident-response plan current, and run two facilitated drills a year so the plan is tested before it is needed. The first hours of any in-year incident are included, and forensic work runs through the provider as agent of the lawyer to help preserve privilege over the work-product. We act for clients across Queensland and nationally.

The practice is supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law. We advise on controls we actually run: our own environment is aligned to APRA CPS 234, self-mapped to ISO 27001 controls, and targeting Essential Eight Maturity Level 2. Most engagements begin with a no-obligation 30-minute scoping call. If a breach is unfolding now, or you want a breach coach in place before one does, contact GRM LAW’s cyber and privacy lawyers.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.