Cyber security, data privacy and breach response services

Publication May 2018

Protect, respond, recover

With the global media spotlight on privacy and data breaches, and reputational damage to companies such as Facebook, it has never been more important to protect your customers’ data. An increasingly complex web of national and international laws governs the treatment of data in Australia and around the world. With its unmatched global network, Norton Rose Fulbright is ideally placed to advise on:

  • Privacy compliance – to safeguard data and comply with new regulations in Australia and abroad
  • Managing your supply chain for potential liabilities
  • Preparing for, and responding to, a data breach or complex cyber incident. 

Early planning is critical to protecting your organisation and complying with regulation, and preparing to effectively respond to a cyber incident in the case of a breach. We provide an end-to-end service offering which covers both the advisory and contentious stages of the data breach lifecycle including:

Complete data
breach protection service
Protect We protect by advising organisations on their data security and privacy obligations and potential cyber security risk exposures. This includes conducting digital risk audits, and advising on incident response readiness, cross-border data flows, IT vendor risks and regulatory risks.
Respond We respond through acting as 'breach coach' during an incident, advising on the legal issues (primarily, risk of harm, notification requirements), while also managing stakeholder interests and mitigating potential future loss. Our Respond Service includes managing claims for our insurer clients and their insureds in both coverage and response (or defense) capacities.
Recover We recover through assisting our clients respond to further regulatory investigations, respond to any media coverage, defend third party claims and pursue recovery actions. Our end-to-end capabilities mean we are best placed to understand how the breach, investigation, response, remediation and notification aspects will impact on potential litigation.

Having acted on the three largest data breaches in Australia, our team’s unrivalled experience is highly valued by our clients.

Are you prepared for new privacy legislation?


The new mandatory data breach notification laws came into effect in Australia on 22 February 2018 and affect all Australian businesses with an annual turnover over AU $3 million. Eligible data breaches must be reported, including those in your supply chain. Find out how the new Australian data privacy regulation will impact your business here. Or ask Parker, our data privacy chatbot, for more information!

Parker privacy chatbot Norton rose fulbrigth ai

Use of the chatbot is subject to disclaimer

What are the consequences of non compliance?

Breaking your customers’ trust can have significant consequences to an organisation’s bottom line and any potential breach must be quickly identified and managed. Penalties for non compliance are up to AU$420,000 for an individual and AU$2.1 million for an organisation.

Australian privacy compliance packages

Managing privacy compliance is a step-by-step process. Norton Rose Fulbright privacy experts have put together affordable, fit-for-purpose packages to help protect your organisation. Find out more about our privacy compliance packages.

GDPR for Australian organisations

The European Union’s new General Data Protection Regulation (GDPR) is a comprehensive framework (effective from 25 May 2018) that will have implications on any organisation that holds data on EU citizens, regardless of whether the business operates in the EU. The new laws set out new and detailed privacy requirements including rules on data governance and accountability, obligations to undertake privacy impact assessments, and record keeping requirements for personal data processing. New data breach notification requirements include a 72-hour deadline.

What are the consequences of non compliance?

Severe fines could be imposed for companies in breach of the GDPR – up to 4 percent of annual worldwide turnover or €20 million, whichever is greater.

Breach response

As ‘breach coach’ we work with you to provide a streamlined incident response service across a range of incident types, including data breach and network interruption.

We coordinate the entire response by assessing the size and nature of the incident, taking steps to contain it, coordinating our panel of carefully selected third party vendors, all the while managing stakeholders’ interests and mitigating potential loss. This includes advising the Board on continuous disclosure obligations.

Our early involvement and establishment of legal professional privilege protects you to the maximum extent possible as far as sensitive communications are concerned. The protection of legal professional privilege is critical in any response, this is why our ‘breach coach’ process is so effective. It is an engagement model perfected by our US colleagues who have been dealing with mandatory breach notification for over a decade.

We provide a hotline for incident responses – please contact us for further information on this service.

Our five tips for responding to a data breach


Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.


Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.


Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.


Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.


Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...