A business didn't properly secure my credit card details and they were stolen. What action can I take?

What the Law Says

Australian law requires businesses to protect personal information—including credit card details—under the Privacy Act 1988 and the Australian Privacy Principles (APPs). A failure to do so may constitute an 'eligible data breach' requiring notification.

Under the Privacy Act 1988, businesses with an annual turnover of $3 million or more (and some smaller entities) are 'APP entities' and must comply with the Australian Privacy Principles (APPs). APP 11 specifically requires entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

If a breach occurs that is likely to result in serious harm to affected individuals—and the entity has not been able to prevent the risk—this triggers the Notifiable Data Breaches (NDB) scheme. The entity must assess the breach within 30 days and notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

Serious harm includes financial loss, identity theft, damage to reputation, or emotional distress—so stolen credit card details almost always meet this threshold.

Statutory Text

An entity must notify the Commissioner and affected individuals about an eligible data breach as soon as practicable after the entity becomes aware that there are reasonable grounds to believe that the breach has occurred.

— Privacy Act 1988 (Cth), s. 26WE — Notification of eligible data breaches

Statutory Text

An entity must take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

— Privacy Act 1988 (Cth), s. 26W — APP 11.1

What to Do

Sources