In 2022, the Optus and Medibank data breaches sent a shockwave through Australian business. Millions of customers had their personal information exposed, and the fallout, from regulatory scrutiny to class action threats, reshaped how businesses think about data security and contractual liability. If your business handles customer data, stores personal information, or shares sensitive records with third-party providers, the lessons from these breaches are directly relevant to you. The good news is that there are practical steps you can take right now to reduce your exposure.
How the Optus and Medibank Breaches Changed the Liability Landscape
Before these breaches, many Australian businesses took a fairly relaxed approach to data security provisions in their contracts. Liability limitation clauses tended to favour the party holding the data, making it difficult for affected businesses or customers to recover losses after a breach.
That's changed. The scale of the Optus and Medibank incidents, and the enormous financial and reputational costs that followed, forced businesses on both sides of a contract to pay much closer attention to who bears responsibility when something goes wrong. Parties being trusted with customer data are now far less willing to accept open-ended liability for a breach, even in situations where they would clearly be at fault. Meanwhile, the businesses handing over that data are pushing back hard, demanding stronger protections.
The result? Contract negotiations around data liability have become more tense and complex. Deals are stalling. And where there's no clear contractual framework in place, disputes are heading towards costly litigation.
Human Error Is the Most Common Cause of Data Breaches
It's tempting to think of data breaches as the work of sophisticated hackers. But the reality is far more mundane. The vast majority of breaches involve human error at some level, whether that's an employee clicking a phishing link, misconfiguring a system, or accidentally sharing data with the wrong person. Even the Optus breach, one of the largest in Australian history, came down to a failure to restrict access to an API that should never have been publicly accessible.
This matters for business owners because it means the risk sits not just with your IT systems, but with your people, your processes, and your contracts. You can't fully protect your business by technology alone.
Practical Steps to Reduce Your Data Breach Risk
There's no single fix that eliminates all risk, but taking a structured approach across your contracts, your team, and your operations makes a significant difference. Here's where to start.
1. Get your contracts right
Any contract where sensitive or personal data changes hands should clearly define who is responsible for protecting that data and what happens if there's a breach. Liability for data breach provisions need to be specific, not buried in generic limitation clauses. Make sure the party actually handling the data carries an appropriate share of the risk. If you're sharing customer data with a third-party software provider or contractor, your Privacy Policy and your service agreements should work together to reflect those obligations. A Confidentiality Agreement can also be a useful tool when sensitive information is being exchanged between parties before a formal contract is in place.
2. Train your team regularly
Data security training shouldn't be a one-off onboarding exercise. Employees need ongoing education about phishing attempts, social engineering tactics, and the correct handling of sensitive data. A well-trained team is one of the most cost-effective defences a business can have.
3. Implement strict access controls
Not everyone in your business needs access to every piece of data. Limit access based on genuine necessity, and use multi-factor authentication as a baseline for any system holding sensitive customer information. Reducing who can access data reduces the number of ways it can be accidentally or maliciously exposed.
4. Do your homework on third-party providers
When you share customer data with a software platform, contractor, or service provider, you're extending your risk profile to include theirs. Before signing up, assess their security practices. Once you're working together, include clear data security obligations in your contracts and monitor compliance. If a breach occurs because of their negligence, you want a clear contractual basis to hold them accountable.
5. Build a culture of security awareness
The businesses that handle data breaches best are the ones where security is genuinely part of the culture, not just a compliance checkbox. Encourage staff to report suspicious activity without fear of blame. Create clear, accessible processes for escalating security concerns. The earlier a potential breach is caught, the less damage it causes.
6. Keep your policies current
Cyber threats evolve constantly. Your security policies and procedures should too. Set a regular schedule to review and update them, and make sure any changes are communicated clearly to your team.
7. Have an incident response plan
If a breach does occur, the speed and quality of your response will significantly affect the outcome, both legally and reputationally. The Office of the Australian Information Commissioner (OAIC) provides guidance on developing a data breach response plan. Having a tested plan in place means you're not making critical decisions under pressure with no framework to guide you.
8. Look into cyber insurance
Cyber insurance won't prevent a breach, but it can significantly reduce the financial sting if one occurs. Coverage can extend to legal fees, customer notification costs, regulatory response, and public relations expenses. It's worth getting advice on whether a policy makes sense for your business size and risk profile.
What This Means for Your Contracts Right Now
If you haven't reviewed your contracts since 2022, there's a real chance your data liability provisions no longer reflect current market expectations or adequately protect your business. This is particularly true if you:
- Collect or store personal information about customers or employees
- Share data with third-party platforms, contractors, or partners
- Rely on a terms of service or privacy policy that hasn't been updated recently
- Are entering into new service agreements where data will be exchanged
Contracts that were drafted before the 2022 breaches may contain liability caps or exclusions that were standard at the time but are now difficult to negotiate without pushback, or that leave you exposed in ways you haven't considered.
Additional Resources
Australian Cyber Security Centre: The ACSC provides free, practical guidance for Australian businesses on improving their cybersecurity posture. Visit cyber.gov.au for tools and resources tailored to business.
OAIC Data Breach Response Plan: The Office of the Australian Information Commissioner has published a practical framework for responding to data breaches. You can access it at oaic.gov.au.
Cyber Insurance: For an overview of what cyber insurance covers and how it works, this ZDNet article is a useful starting point.
If you're a founder or business owner looking to get your data-related documents in order, Mode.law has you covered. Our document library at /documents includes a Privacy Policy, Confidentiality Agreement, and a range of commercial contracts designed for Australian businesses. Solid documents are one of the most effective ways to reduce your legal and financial exposure before a problem arises.