"Reasonable steps in those circumstances could involve having a data breach response plan, which includes notifying affected individuals."
McMillan said scenarios such as the Catch of the Day breach increases the need for mandatory data breach legislation to come into play.
"I know that the Office of the Australian Information Commissioner is a proponent of that type of legislation. There's also been a lot of international pressure of Australia to move towards data breach notification.
"It is implemented in a number of other jurisdictions worldwide. Attorneys general in the US, UK, Canada, and New Zealand have all been applying pressure for mandatory data breach notification here in Australia."
Sign up for CIO Asia eNewsletters.