Data Security -
Can you afford to ignore it?


With an average loss of $275,000, 80% of Australian SMEs targeted by a cyber-attack go bankrupt within 12 months

(NSW Chamber of Commerce)

and 61% of breaches affected organisations with fewer than 1,000 employees.

(European Union Agency for Network and Information Security ENISA)

Poor Privacy and Data Protection is becoming one of the biggest risks to business in Australia and worldwide. Business owners and company directors bear the brunt of the risk and need to be aware.  In 2019 Yahoo settled a derivative action against its former directors for a data breach

According to the UNSW School of Taxation and Business Law, over 60% of directors say they don’t yet have a set of standard cyber security metrics. The majority of these feel like they’re not getting good quality reporting or very detailed reporting, or they don’t understand the reporting or the metrics.

And breach reports are increasing rapidly. In the Dec 18 quarter, the OAIC was notified of over 262 incidents across Australia, an increase of 7% over the previous quarter. The industries being targeted are health, finance, professional services, education and mining and manufacturing. However, no industry is safe. Most of these breaches are the result of either human error or malicious attack, meaning in theory that they are preventable.

What can you do?

Aperion Law has developed a solution to mitigate risk in this area with the launch of My Privacy Officer, an outsourced approach to privacy and data security that offers a cost-effective and systematic approach to identifying and managing your exposure to data security risk through three key stages:

Privacy and Data Security Privacy and Data Security



Stage 1 - Privacy and Data Security Setup

  • Data Collection – a series of questions and/or an interview to review existing documentation and policies within your business.
  • Gap Analysis – a written review analysing your current documentation and processes against best practice and providing recommendations to address your exposure to risk.
  • Remediation – making the necessary revisions to documents and processes to reduce your businesses exposure to data security threats. We can also assist you in finding technical providers to implement risk mitigation solutions.
  • Management – establishing systematic internal processes to manage risk on a daily basis; providing access to external support services; liaising with the regulator and other stakeholders and establishing a regular review process.


Stage 2 – Incident Response

  • Activate Data Breach Response Plan (DBRP) – Your data breach response plan outlines the roles and responsibilities of staff and trusted advisors. This document allows you to responds quickly and effectively to a breach, minimising the loss of data and your liability.
  • Notify Regulators and other Stakeholders – A data breach may enliven statutory notification requirements. We will help you understand your obligations in this respect, including drafting the notifications.
  • Notify the Data Supply Chain – with cloud providers and outsource IT, for most business the data supply chain is both critical and complex. Effective planning will help you understand who you need to contact and how I the event of a breach.
  • Activate Third Party Security Providers – Data breach response is a team game. In addition to legal advice, you may need engage technical experts to stop the breach and gather evidence. You may also need to engage a communications team to assist with you engagement with your various stakeholders.


Stage 3 - Post-incident Remediation and Recovery

  • Manage Resulting Claims – Civil liability for data breaches can take the form of class actions by data subjects and shareholders. The measures that you put in place will directly impact the extnt of any liability your company faces when a data breach occurs.
  • Manage Regulatory Actions – Supervisory authorities have a range of investigative and coercive powers, including imposing fines and enforceable undertakings on companies who fail to meet privacy standards.
  • Recover Third-Party Losses – If a breach is caused by a third party, you may need to initiate a legal action to recover damages caused by their default.
  • Incident Review – Effective breach remediation means understanding what happened and why. This means identifying the technical or organisational faults that lead to the breach.
  • Repair Systems and Processes – The final stage of post-breach remediation is to close the loop by ensuring that all vulnerabilities are secured .

To find out more about My Privacy Officer and how it can manage your data security risks, please complete the form below:

Practice Areas