What does the law actually mean by 'taking reasonable steps' to protect data?

Taking reasonable steps goes beyond just installing technical tools like firewalls or antivirus software. It requires a proactive business culture that includes formal governance, documented policies, regular staff training, and active oversight from company leadership.

If I use a third-party cloud provider to store my data, am I still legally responsible for a breach?

Yes, you cannot outsource your legal liability under the Privacy Act to a third party. Even if you use a vendor for storage or migration, your business remains responsible for protecting that data, which is why it is critical to have watertight contracts that dictate security standards and audit rights.

What kind of documentation do I need to prove my business is compliant?

To defend your actions to a regulator, you should maintain records of regular risk assessments, minutes from board meetings where data security was discussed, and logs of staff training sessions. You should also have a written incident response plan that is tested and updated regularly to show you are prepared for a breach.

Is it better to keep old customer records for marketing or delete them for security?

The most effective way to reduce your risk is through data minimization, which means deleting information as soon as it is no longer needed. Keeping old data 'just in case' increases the scale of a potential breach and can be viewed by regulators as a failure to maintain a proper privacy culture.

What are the legal consequences of identifying a security flaw but delaying the fix?

Delaying repairs on known vulnerabilities can move your legal position from simple error to negligence, making it very difficult to defend yourself in litigation. If a security audit identifies a gap, you must act on those findings immediately, as filing the report away creates evidence that you were aware of a danger and chose to ignore it.

Lessons from the Vinomofo Data Breach: Legal Advice for Data Breach Prevention and 'Reasonable Steps'

The Australian Information Commissioner (OAIC) recently delivered a significant determination regarding online wine retailer Vinomofo. The ruling found the company interfered with the privacy of nearly one million individuals. For small and medium enterprise (SME) owners, the details of this case provide a clear roadmap of what not to do.

The breach occurred in 2022, exposing the personal information of 928,760 customers. This included dates of birth, gender, and contact details. While the scale of the breach garners headlines, the legal reasoning behind the Commissioner’s decision is what matters for business strategy. The OAIC focused heavily on the definition of “reasonable steps” under Australian Privacy Principle (APP) 11.1.

We frequently provide legal advice for data breach prevention, and the Vinomofo case underscores a specific point: compliance is an active, ongoing process, not a “set and forget” IT task.

Defining ‘Reasonable Steps’ Under APP 11.1

Under the Privacy Act, entities must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. Many business owners view this as a technical requirement. They assume that installing antivirus software and a firewall satisfies the law. The Vinomofo determination proves this assumption wrong.

Commissioner Carly Kind noted that Vinomofo’s “culture and business posture” failed to value privacy. The failure was not just in the software, but in the governance. The company lacked adequate policies, procedures, and training. The OAIC looks at the totality of the circumstances. If your business collects sensitive data but fails to train staff on how to handle it, you are likely not taking reasonable steps.

This aligns with broader regulatory trends. As we discussed regarding the Medlab case and director liability, regulators now expect boards and executives to take personal responsibility for cyber resilience. It is a corporate governance issue, not just a technical one.

The Risk of Known Vulnerabilities

The most damaging aspect of the Commissioner’s findings against Vinomofo was the timeline. The company knew its security governance had deficiencies at least two years before the breach occurred. They had identified the need to improve their security posture but delayed the necessary work.

From a liability perspective, this moves the issue from simple error to negligence. In commercial litigation, ignoring a known risk is difficult to defend. If you commission a security audit, you must act on the findings. Filing a report away in a drawer does not protect you; it creates evidence that you were aware of the danger and chose inaction.

Documentation is Your First Defence

If a breach occurs, the regulator will ask for evidence of your prevention efforts. You need to produce:

Regular risk assessments.
Minutes from board meetings where data security was discussed.
Records of staff training sessions.
Incident response plans that are tested regularly.

Without this documentation, proving you took “reasonable steps” is nearly impossible.

Cloud Migration and Third-Party Risks

The Vinomofo breach happened during a large data migration project. Moving data between systems or to the cloud is a high-risk activity. The OAIC determination specifically highlighted Australian Privacy Principle 11 compliance for cloud migration as an area requiring heightened vigilance.

Many SMEs rely on third-party cloud providers. A common misconception is that outsourcing storage outsources liability. This is incorrect. Under the Privacy Act, the entity that holds the data remains responsible for its protection. You cannot contract out of your statutory obligations under the Privacy Act.

When engaging vendors for migration or storage, your contracts must be watertight. You need specific clauses that dictate:

Security standards the vendor must meet.
Notification periods in the event of a breach.
Indemnities for losses caused by the vendor’s negligence.
Rights to audit the vendor’s security practices.

Recent discussions on regulatory structures suggest that breach notification laws are becoming stricter globally. Australian contracts must reflect this reality to avoid gaps between what the law requires of you and what you require of your vendor.

The Cost of “Culture”

The Commissioner criticised Vinomofo’s culture. This is a nebulous concept for many business owners, but it translates to budget and priority. If a business prioritises speed to market or sales volume over data security, that is a cultural failure.

Evidence of a poor privacy culture includes:

Security teams being under-resourced or ignored.
Data retention policies that keep customer data “just in case” rather than deleting it when no longer needed.
Lack of clear reporting lines for privacy issues.

We saw similar themes in the recent Meta settlement, where the handling of user data came under intense scrutiny. The cost of fixing these cultural issues after a breach is always higher than addressing them beforehand.

Practical Steps for SME Owners

You do not need an enterprise-level budget to demonstrate reasonable steps. You need a proportionate response to the data you hold. If you hold sensitive health or financial data, the bar is higher. If you hold only email addresses, the requirements are different but still exist.

Start with a data audit. You cannot protect what you do not know you have. Identify where your data lives, who has access to it, and why you are keeping it. If you have data from 2015 that you no longer use, delete it. Minimising data is the most effective way to reduce risk.

Research indicates that data breach laws are effective in forcing companies to adopt better internal policies. Do not wait for a regulator to force your hand.

Review your insurance. Cyber insurance is becoming harder to obtain and more expensive. Insurers now demand proof of specific security controls (like Multi-Factor Authentication) before they will bind a policy. A refusal of coverage is a major red flag for your business risk profile.

The Vinomofo determination is a reminder that the OAIC is willing to look behind the technical curtain and examine business decision-making. If you are aware of security gaps, the time to address them is now.

If you are concerned about your current privacy policies or vendor contracts, we can review your position and help you establish a defensible legal framework.

About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.

Book an appointment with one of our Lawyers to discuss your specific needs.

Book a Consultation

A Note on the Information We Share

Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.