Data Breach? Don’t Panic. Here’s the Exact Response Plan Every Australian Business Needs (2026)

It is 9:47 AM on a Tuesday. An employee calls to report they cannot access any files. Another follows. Your IT team checks the server, everything is encrypted. A ransom note appears on the screen. Or perhaps it’s quieter than that: a routine audit reveals that a database containing 3,000 customer records has been exposed to the public internet for six weeks. Either way, the outcome is the same: you have a data breach, and what you do in the next 30 days will determine whether this becomes a manageable incident or a business-ending event.

Data breaches are the defining cybersecurity crisis facing Australian businesses in 2026. The OAIC received 483 notifiable data breach reports in just one six-month period — and those are only the ones that were reported correctly. The real number of incidents is far higher. Australian businesses holding personal information face penalties of up to $50 million AUD for serious or repeated privacy breaches. And 60% of small businesses that suffer a serious breach close within six months — not always because of the breach itself, but because of the mishandled response.

The difference between businesses that survive a data breach and those that don’t is almost never the size of the incident. It is almost always the speed, structure, and legality of the response. This guide gives you exactly that: a step-by-step data breach response plan designed for Australian businesses, built around your legal obligations under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, and informed by real incident response experience from the field.

If you have already experienced a breach and need immediate help, contact our team now. For businesses looking to build a data breach response plan before an incident occurs, this is your complete reference. Our managed cybersecurity services and incident response guidance are available for both reactive and proactive engagements.

What Is a Data Breach? Understanding Your Legal Obligations in Australia

Under Australia’s Privacy Act 1988, a data breach occurs when personal information held by your organisation is subject to:

• Unauthorised access: someone who is not authorised accesses the data — including a hacker, a malicious insider, or a third-party vendor with excessive permissions
• Unauthorised disclosure: personal information is shared with someone who should not receive it — including accidentally emailing the wrong person, misconfigured cloud storage, or a vendor sharing data without consent
• Loss: personal information is lost in circumstances where unauthorised access or disclosure is likely — a stolen laptop, a lost USB drive, or a deleted database without backup

Not every data breach is a notifiable data breach. The NDB scheme — which triggers your legal obligation to notify the OAIC and affected individuals — applies when three criteria are all met:

1. Unauthorised access, disclosure, or loss of personal information has occurred
2. The breach is likely to result in serious harm to one or more individuals — serious harm includes financial harm, physical harm, serious psychological harm, serious reputational damage, or other serious consequences
3. You have been unable to prevent the likely risk of serious harm through remedial action — if you act quickly and effectively enough to eliminate the risk of harm, the breach may not be notifiable

The key phrase is ‘likely to result in serious harm’. This is assessed on the balance of probabilities — if it is more likely than not that serious harm could result, notification is required. When in doubt, the OAIC recommends erring toward notification. The legal risk of under-reporting significantly outweighs the reputational cost of over-reporting.

Who Does the NDB Scheme Apply To?

The NDB scheme applies to all APP entities — organisations covered by the Privacy Act 1988. This includes:

• Private sector organisations and not-for-profits with an annual turnover of more than $3 million AUD
• All Australian Government agencies regardless of size
• All health service providers regardless of size — including small medical, dental, and allied health practices
• Credit reporting bodies, credit providers, and tax file number recipients regardless of turnover
• Any business that has opted in to Privacy Act coverage

If your business is below the $3 million threshold but handles sensitive data — health information, tax file numbers, credit information — you likely still have obligations. If you are uncertain whether the NDB scheme applies to your business, legal advice is recommended. The penalties for non-compliance — up to $50 million AUD or 30% of domestic turnover — apply regardless of whether non-compliance was intentional.

The 7-Step Data Breach Response Plan for Australian Businesses

This is your operational playbook. Every step has a time component — the NDB scheme requires that your assessment be completed and notification made as soon as practicable, with 30 days as the outer limit for assessing a suspected eligible data breach. In practice, for serious breaches, 30 days is the maximum — not the target.

Step 1: Contain — Stop the Bleeding Immediately (Hours 0–4)

The first and most urgent priority in any data breach response is containment — preventing the breach from spreading, stopping ongoing unauthorised access, and preserving evidence. These actions must happen simultaneously and immediately:

• Isolate affected systems: disconnect compromised devices from the network — physically or logically. In a ransomware scenario, this means pulling ethernet cables, disabling Wi-Fi, and blocking affected systems from communicating with others. Do not power off servers before consulting a forensic specialist — powering down can destroy volatile evidence
• Revoke compromised credentials: immediately disable accounts that have been compromised or are suspected to be. Reset passwords for any accounts that may have been exposed. Check for and disable any attacker-created accounts or persistence mechanisms
• Block data exfiltration channels: if data is still being exfiltrated, block the outbound connections — firewall rules, blocking specific IP ranges, or disabling external transfer capabilities
• Preserve evidence: before making any system changes, preserve logs — firewall logs, authentication logs, EDR telemetry, email gateway logs. These are essential for forensic investigation, legal proceedings, and insurance claims. Do not wipe or reimage systems until forensic capture is complete
• Notify your cyber insurer: most policies require notification within 24–72 hours of discovery. Contact your insurer’s claims hotline immediately — before engaging external vendors. Failing to notify within the required window can affect your coverage

Step 2: Assess — Understand What You Are Dealing With (Hours 4–72)

Once immediate containment is underway, you need to understand the scope, nature, and likely impact of the breach. This assessment determines whether you have an eligible data breach that must be reported under the NDB scheme, and informs all subsequent response decisions.

Your assessment must address:

• What personal information was accessed or lost? Identify the specific data sets involved — names, email addresses, financial information, health records, tax file numbers, passwords, payment card data. The nature and sensitivity of the data directly determines the harm assessment
• Whose personal information was involved? How many individuals are affected? Can you identify them by name? Are any vulnerable individuals — children, elderly, or people in sensitive circumstances — included?
• Who accessed the information? Was it a malicious external actor, a malicious insider, or accidental? An external attacker who has actively sought the data poses a different harm risk than an accidental internal disclosure to the wrong email recipient
• What is the likely harm? Could the compromised information be used for identity theft, financial fraud, blackmail, or other serious harm? Health and financial data carry the highest harm potential. Consider the data sensitivity, the context, and the likely intent of whoever accessed it
• Has the risk of harm been eliminated? If you have taken remedial action that genuinely eliminates the risk of serious harm — for example, you confirmed that a misdirected email was received by a trusted colleague who immediately deleted it without reading — the breach may not be notifiable. Document your reasoning carefully

The OAIC requires this assessment to be completed within 30 days of becoming aware of the suspected breach. For complex breaches involving a forensic investigation, the 30-day window runs from the date you first suspected a breach — not from when the investigation concludes. If you cannot complete a full assessment within 30 days, you should notify based on what you know and supplement with further information as it becomes available.

Step 3: Notify — Meet Your Legal Obligations Under the NDB Scheme (Within 30 Days)

If your assessment determines that an eligible data breach has occurred — or if you have reasonable grounds to believe one has — you must notify:

• Affected individuals: every person whose personal information was involved in the breach and who is at risk of serious harm. Notification must include: a description of the breach, the kind of personal information involved, what steps you are taking in response, and recommended steps individuals can take to protect themselves (e.g., change passwords, monitor credit reports, place a fraud alert)
• The OAIC: submit a statement to the Office of the Australian Information Commissioner using the online NDB notification form at oaic.gov.au. The statement must include the entity’s contact details, the nature of the breach, the kind of information involved, and the steps being taken in response

The timing of notification is critical. The Privacy Act requires notification as soon as practicable after you have reasonable grounds to believe an eligible data breach has occurred. There is no fixed number of hours — but the OAIC’s guidance is clear that unnecessary delays will be scrutinised. For major breaches involving health or financial data, days matter. For lower-risk breaches where harm assessment is more complex, a structured 2–3 week timeline is generally defensible if documented.

What if you are not certain whether the breach is eligible? The OAIC’s guidance is clear: if you are uncertain, notify anyway. The reputational and legal consequences of failure to notify a genuine eligible breach are far worse than the consequences of over-notifying a borderline case. The OAIC does not penalise good-faith over-notification.

Step 4: Investigate — Find the Root Cause (Days 3–14)

Containment stops the immediate harm. Investigation finds how the breach happened so you can fix it and prevent recurrence. A thorough forensic investigation is also essential documentation for your insurance claim, any regulatory response, and potential litigation.

Your investigation should establish:

• Initial access vector: How did the attacker (or accidental actor) gain access? Phishing credential theft? Unpatched vulnerability? Misconfigured cloud storage? Malicious insider? Third-party vendor compromise?
• Persistence mechanisms: Did the attacker establish persistence — backdoors, additional accounts, scheduled tasks — that could allow re-entry after initial remediation?
• Lateral movement: After initial access, did the attacker move laterally through the environment? What other systems, accounts, or data sets were accessed beyond the initial entry point?
• Data exfiltration: What data was accessed, copied, or exfiltrated? How much? To where? Is any data still accessible to the attacker through cloud storage or external accounts?
• Timeline reconstruction: When did the breach begin? How long was the attacker present before detection? This is critical for assessing the scope of potential harm and informing your NDB notification

For significant breaches, engage a qualified forensic investigator — either through your cyber insurer’s panel (always use approved vendors to protect your claim) or an independent firm. Self-investigation of serious breaches is risky: it can inadvertently contaminate evidence, miss attacker persistence, and expose your organisation to claims that the investigation was not conducted with appropriate rigour. Our cybersecurity incident response service provides forensic-grade investigation support for Australian businesses.

Step 5: Communicate — Manage Stakeholders with Transparency (Days 1–14)

Data breach communication is simultaneously a legal obligation, a reputational management exercise, and a trust-preservation imperative. How you communicate — with your staff, your clients, your partners, and the media — during and after a breach significantly determines how much lasting damage the incident causes.

Internal Communication

• Incident response team: convene immediately — IT/security lead, legal counsel or privacy officer, CEO/director, and communications lead
• Affected staff: inform staff whose personal information was involved or who need to take action (e.g., reset passwords, be alert for phishing) without creating panic or speculation
• Board/executive: brief immediately — they have governance obligations and will face questions from clients, investors, and regulators. Uninformed executives making public statements that contradict your formal response are a significant risk

External Communication

• Affected individuals: notify per your NDB obligations (see Step 3). Communication must be clear, honest, and actionable — tell people exactly what happened, what data was involved, and what steps they should take to protect themselves
• Clients and partners: even for non-notifiable breaches, consider proactively communicating with key clients if the breach involved their data or systems. Clients who learn about a breach from news sources before hearing from you will not forgive the delay
• Media: do not comment publicly until your communications lead has prepared approved statements. All media enquiries should be directed to a single spokesperson. Avoid speculation about cause, scope, or attribution until investigation is complete

The golden rule in breach communication: transparency and speed beat polish and perfection. A prompt, honest, imperfect communication is far better received than a delayed, carefully crafted one. The Optus breach’s reputational damage was amplified enormously by the perception that communication was delayed, defensive, and inadequate — a lesson that cost the company hundreds of millions in remediation and regulatory costs.

Step 6: Remediate — Fix What Broke and Restore Operations (Days 7–30)

Remediation means two things: restoring normal operations safely, and fixing the vulnerabilities that allowed the breach to occur. Both are essential — and the order matters.

• Restore from clean backups: do not restore from a backup that may be compromised. Verify backup integrity before use. Restore to a clean environment, not the original compromised infrastructure. Test thoroughly before reconnecting to production networks
• Rebuild compromised systems: do not simply patch compromised systems and reconnect them. Systems that hosted an attacker — especially servers — should be rebuilt from a known-clean baseline. Patching over an attacker’s persistence mechanisms is insufficient
• Rotate all credentials: reset passwords for all accounts in scope — not just the ones confirmed to be compromised. Assume all credentials in the environment may be known to the attacker
• Close the vulnerability: implement the specific fix for whatever allowed initial access — patch the vulnerability, fix the misconfiguration, enable MFA on the compromised account, remove excessive permissions from the vendor account
• Implement additional controls: use the investigation findings to identify other weaknesses and address them proactively. A breach is the most expensive security audit you will ever have — use the findings

Our cloud backup strategy guide and our approach to Microsoft 365 backup explain how to configure backup environments that support clean recovery without reintroducing attacker access.

Step 7: Review and Rebuild — Prevent the Next Breach (Days 14–60)

The final step — and the one most commonly skipped — is the post-incident review: a structured analysis of what happened, why it happened, what the response got right, and what it got wrong. Without this step, the breach becomes an expensive lesson that teaches nothing.

• Conduct a formal post-incident review: bring together your incident response team within 2–4 weeks of containment. Review the timeline, the detection gap, the response actions, and the communication
• Update your incident response plan: incorporate specific learnings — notification timelines you missed, communication gaps, tools that weren’t available when needed
• Implement structural security improvements: the investigation identified your specific vulnerabilities. Address them systematically — not just the one that was exploited, but the class of vulnerability
• Assess your security framework: use the breach as the trigger to conduct a comprehensive cybersecurity gap assessment against the ASD Essential Eight or ISO 27001 to understand your broader risk posture
• Document everything: your complete breach response documentation — from initial detection through OAIC notification, investigation findings, remediation steps, and post-incident review — is essential for regulatory defence, insurance purposes, and demonstrating ‘reasonable steps’ under the Privacy Act

�� Real-World Case Study: How a Perth Healthcare Provider Managed an NDB-Eligible Breach — and Kept Its Client Relationships Intact

The Situation

A 28-person physiotherapy group operating across three Perth locations contacted CodeHyper after a routine review by their IT provider identified that a SharePoint Online folder containing patient appointment records and assessment notes had been misconfigured — set to ‘Anyone with the link can view’ — for approximately six weeks. The folder contained records for 1,847 patients, including names, dates of birth, contact details, health fund membership numbers, and clinical assessment notes.

The misconfiguration had been introduced during a staff member’s attempt to share a single document with an external specialist. The staff member had changed the folder’s sharing permissions rather than the individual document’s permissions, and the change had gone unnoticed because the organisation had no SharePoint access review or permission monitoring in place.

The business owner’s first instinct was to quietly fix the misconfiguration and say nothing. A CodeHyper consultant explained — clearly and directly — why that approach was both legally non-compliant and strategically counterproductive: the breach involved health information, it had been accessible for six weeks, and the likelihood of serious harm was impossible to rule out. Under the NDB scheme, this was an eligible data breach. Notification was not optional.

The Response — Day by Day

4. Day 1 — Discovery and Containment: The misconfiguration was corrected within 30 minutes of discovery. All current and historical access logs for the folder were preserved. The practice’s lawyers and cyber insurer were contacted the same day
5. Days 2–5 — Assessment: CodeHyper conducted a forensic review of SharePoint access logs to determine whether the link had been accessed by anyone other than authorised staff. The logs showed 12 access events from IP addresses outside the practice’s network — 9 were identified as the external specialist the document had been shared with, 2 were from unknown locations, and 1 was from a Google search crawler. The unknown accesses could not be definitively attributed to legitimate or malicious sources
6. Days 5–8 — Harm Assessment and Legal Advice: Legal counsel assessed the breach against the NDB scheme’s eligible breach criteria. Given the sensitivity of the health information, the six-week exposure window, and the unidentifiable access events, the assessment concluded that the breach was likely to result in serious harm to at least some individuals. NDB notification was required
7. Days 8–10 — Notification Preparation: The practice prepared two communications: a personal notification letter to all 1,847 affected patients explaining what had happened, what data was involved, what steps had been taken, and recommended protective steps (monitoring health fund accounts, being alert for phishing); and the OAIC NDB statement. Both were reviewed by legal counsel before submission
8. Day 11 — Notifications Sent: Patient notifications were sent by email and postal mail. The OAIC NDB statement was submitted online. A statement was posted on the practice’s website
9. Days 12–30 — Remediation: SharePoint governance policies were implemented through Microsoft 365 admin controls — default sharing settings changed to ‘Specific people’, external sharing limited to approved domains, and monthly permission review reports enabled. Staff training on SharePoint sharing was conducted. A formal data handling policy was documented
10. Day 45 — OAIC Response: The OAIC acknowledged receipt of the NDB statement and indicated no further action would be taken, noting the organisation had responded promptly, notified affected individuals appropriately, and taken reasonable remediation steps

The Outcomes

The practice owner credited proactive, transparent communication with the retention outcome. Several patients who responded to the notification letter explicitly thanked the practice for telling them — noting that they trusted the practice more, not less, because they had been informed. The two patients who lodged formal complaints were both resolved through direct conversation and a clear explanation of the remediation steps taken.

“Every instinct said don’t tell anyone — fix it and move on. But our advisors were clear: that’s both illegal and the worst thing we could do commercially. The notification letters went out. Most patients never responded, a few thanked us, two were upset but calmed down after we talked. Not one left because of the breach. They left because we communicated badly about other things. Transparency, it turns out, builds trust.”  — Practice Director, Perth Physiotherapy Group

NDB Scheme Quick Reference: Everything You Need to Know

Building Your Data Breach Response Plan Before an Incident Occurs

The businesses that respond to data breaches most effectively have one thing in common: they planned before the incident, not during it. A data breach response plan is a documented set of procedures that every member of your incident response team can follow when the pressure is highest and the stakes are greatest.

Your data breach response plan must include:

1. Your Incident Response Team

Define who is responsible for each role before an incident occurs. In a small business, one person may hold multiple roles — but every role must have a named owner:

• Incident Lead: the person with overall authority to make response decisions — typically the CEO, Director, or IT Manager
• Technical Lead: responsible for containment, forensic evidence preservation, and remediation — your senior IT person or external managed security provider
• Legal/Privacy Officer: responsible for assessing NDB eligibility, managing OAIC notification, and advising on regulatory obligations. For most SMBs, this is an external privacy lawyer engaged on retainer
• Communications Lead: responsible for drafting and approving all internal and external communications — including client notifications and any media statements
• Insurance Contact: the person responsible for notifying your cyber insurer and managing the claims process — with the insurer’s claims hotline number stored offline

2. A Contact Register (Stored Offline)

In a ransomware attack, your systems may be encrypted and inaccessible. Your contact register must exist in printed form and be accessible without any digital system:

• Cyber insurer claims hotline number
• Your incident response provider or managed security team
• Your privacy lawyer
• OAIC contact information (oaic.gov.au, or 1300 363 992)
• Your forensic investigation provider (if pre-engaged)
• Key client contacts who must be notified promptly

3. Pre-Approved Communication Templates

Drafting client notification letters, OAIC statements, and staff communications under pressure — with legal review — takes time you often don’t have. Pre-draft and pre-approve template communications for:

• Client/patient notification letter template (to be customised with breach specifics)
• Staff communication template (internal incident notification)
• OAIC NDB statement template
• Website public notice template (for substitute notification if required)
• Media holding statement (for use if approached by journalists)

4. Evidence Preservation Procedures

Your forensic investigation, insurance claim, and any regulatory defence will all depend on the quality of evidence preserved in the first hours. Define before the incident which logs are retained, for how long, and how they will be captured in an emergency:

• Authentication and access logs (Azure AD sign-in logs, VPN logs)
• Email gateway and filtering logs
• EDR telemetry and alert history
• Network traffic logs and firewall logs
• Application and database access logs

5. Breach Classification Criteria

Pre-define your internal classification criteria so that any staff member who suspects a breach knows immediately what constitutes a reportable incident and who to tell:

• Any suspected ransomware, malware, or unauthorised system access — report immediately to IT Lead
• Any lost or stolen device containing personal information — report immediately to IT Lead
• Any email sent to the wrong recipient containing personal information — report to Privacy Officer within 1 hour
• Any notification from a third party of a possible breach of your data — escalate to Incident Lead immediately

The 5 Most Expensive Data Breach Response Mistakes Australian Businesses Make

Mistake 1: Trying to Contain Quietly Without Notifying

The instinct to fix and forget is understandable — but it is both legally dangerous and commercially counterproductive. Failing to notify an eligible data breach under the NDB scheme exposes you to penalties of up to $50 million. And when the breach eventually becomes public — as breaches almost always do — the cover-up is treated as worse than the original incident. Proactive, honest notification consistently produces better outcomes than delayed or suppressed reporting, as the Perth physiotherapy case demonstrates.

Mistake 2: Notifying Individuals Before Your Systems Are Secured

Notifying affected individuals before containing the breach can tip off the attacker, prompt them to accelerate exfiltration, or cause individuals to contact your systems in ways that complicate the investigation. Containment always precedes notification. The NDB scheme allows a reasonable assessment period — use it. Do not send client notifications while your systems are still actively compromised.

Mistake 3: Rebuilding Compromised Systems Without Forensic Capture

The urge to restore normal operations as quickly as possible leads many businesses to reimage compromised systems before completing forensic evidence capture. This destroys the evidence your investigation, insurance claim, and potential prosecution depend on. Always preserve forensic images of compromised systems before rebuilding. Your cyber insurer may require forensic evidence to process your claim.

Mistake 4: Underestimating the Third-Party Risk

Many Australian data breaches originate with a compromised third-party vendor — a payroll provider, a cloud storage platform, a managed service provider. When a third party causes a breach of your data, you still hold the NDB notification obligations for that data. Do not assume your vendor will handle compliance on your behalf — verify immediately, document everything, and treat it as your own breach until confirmed otherwise. Our guide to how staged cyber attacks work explains how attackers use the supply chain as an entry vector.

Mistake 5: Not Testing the Response Plan Before an Incident

A data breach response plan that has never been tested is a document — not a capability. Tabletop exercises — simulated breach scenarios where your response team walks through the plan — reveal gaps, confusion, and bottlenecks before they appear under real-world pressure. Run at least one tabletop exercise per year. The ASD Essential Eight maturity model requires documented, tested incident response processes at higher maturity levels — and it is a requirement that insurers increasingly verify.

The Best Data Breach Response Is One You Never Have to Execute

Every step in this guide exists because prevention failed somewhere. The most effective use of your time and budget is preventing breaches from occurring in the first place — and limiting their impact when they inevitably do occur. Here are the highest-impact prevention measures based on breach root cause data:

The ASD Essential Eight framework directly addresses the six most common breach root causes through its eight controls. Businesses at Essential Eight Maturity Level 2 are significantly harder targets than those with no formal security programme — and face materially lower breach frequency, lower breach severity, and better insurance outcomes when incidents do occur. Our Essential Eight checklist is the fastest path to building that protection.

Whether You’re in the Middle of a Breach or Trying to Prevent One — We’re Here

A data breach is the moment that tests every decision you made about cybersecurity over the preceding years. The businesses that come through it well — retained clients, paid insurance claims, no regulatory action, stronger security on the other side — are the businesses that had a plan, followed it, and communicated with transparency.

At CodeHyper, we help Australian businesses at both ends of this challenge: building the security controls that prevent breaches, and providing the incident response support that limits the damage when prevention isn’t enough. Our managed cybersecurity services include 24/7 monitoring, incident response, backup management, and the ongoing documentation that supports both regulatory compliance and insurance claims.

If you are experiencing a data breach right now — contact us immediately. If you want to build a data breach response plan before you need it, contact us today for a no-obligation cybersecurity and incident response assessment tailored to your business.

Frequently Asked Questions: Data Breach Response in Australia

What should I do immediately after discovering a data breach?

Your immediate priorities in the first four hours are: isolate affected systems from the network to prevent the breach from spreading; preserve all logs and forensic evidence before making any changes; revoke or disable compromised credentials; notify your cyber insurer (most policies require notification within 24–72 hours of discovery); and contact your incident response team. Do not power off servers without forensic guidance — it can destroy volatile evidence. Do not make any public statements until your communications lead has prepared approved messaging.

Am I legally required to report a data breach in Australia?

If you are an APP entity — a business with annual turnover over $3 million, a health service provider, a government agency, or a credit provider — and you have experienced an eligible data breach, you are legally required to notify both the affected individuals and the OAIC under the Notifiable Data Breaches (NDB) scheme. Failure to comply can result in penalties of up to $50 million AUD or 30% of domestic turnover. If you are uncertain whether the scheme applies to your business or whether your specific incident is notifiable, seek legal advice and contact the OAIC.

How long do I have to report a data breach to the OAIC?

Under the NDB scheme, you must complete your assessment of a suspected eligible data breach within 30 days of becoming aware of it, and notify the OAIC and affected individuals as soon as practicable after forming reasonable grounds that an eligible data breach has occurred. The 30 days is the outer limit — not the target. For serious breaches involving health or financial data, the OAIC expects prompt notification. If investigation is complex and 30 days is insufficient, notify based on what you know and supplement with additional information as it becomes available.

What is an ‘eligible data breach’ under Australian law?

An eligible data breach under the NDB scheme is one that meets three criteria: there has been unauthorised access to, disclosure of, or loss of personal information; the breach is likely to result in serious harm to one or more of the individuals whose information was involved; and the organisation has been unable to prevent the likely risk of serious harm through remedial action. If effective remedial action eliminates the likelihood of serious harm — for example, confirming that a misdirected email was immediately deleted unread by a trusted colleague — the breach may not be eligible.

Do I need to notify customers even if the breach was accidental?

Yes, if the accidental breach meets the eligible data breach criteria. The NDB scheme does not distinguish between malicious and accidental breaches — what matters is whether personal information was subject to unauthorised access or disclosure and whether it is likely to result in serious harm to affected individuals. Accidental disclosure of health information or financial data to the wrong recipient is as notifiable as a deliberate hacking incident if the harm threshold is met.

What should a data breach notification to customers include?

Under the NDB scheme, your notification to affected individuals must include: the name and contact details of your organisation; a description of the data breach; the kinds of personal information involved; what steps you recommend individuals should take in response to the breach; and how individuals can contact you with enquiries. The OAIC strongly recommends being specific, clear, and actionable rather than using vague or legalistic language that leaves individuals uncertain about what happened or what to do.

Can my cyber insurance help cover a data breach?

Yes — if your policy is in force, your declared controls are maintained, and you follow the policy’s notification and response requirements. Cyber insurance typically covers forensic investigation costs, legal fees, client notification costs, regulatory defence costs, and business interruption losses arising from a breach. To protect your claim: notify your insurer immediately (within 24–72 hours of discovery), use only insurer-approved vendors for forensic and legal work, and do not delete or reimage systems before forensic capture. Our guide to cyber insurance requirements covers what controls you need in place to ensure your claim is paid.

How do the Medibank and Optus breaches apply to smaller businesses?

The Medibank and Optus breaches illustrate two principles that apply to businesses of every size. First, the OAIC is actively pursuing enforcement — businesses that fail to notify eligible breaches, provide inadequate notifications, or demonstrate poor security practices face real regulatory consequences, not just reputational ones. Second, the response matters as much as the breach itself — reputational damage from both incidents was amplified by communication failures, not just the data loss. Proactive, transparent, and technically competent responses consistently produce better outcomes.

What is the difference between a data breach and a cyber incident?

A cyber incident is the broader category — any event that compromises the confidentiality, integrity, or availability of your systems or data. Not every cyber incident is a data breach. Ransomware that encrypts your systems without accessing personal data is a cyber incident but may not be a data breach under the NDB scheme. Ransomware that exfiltrates personal data before encrypting it is both a cyber incident and a data breach requiring NDB assessment and potential notification. The key question for NDB purposes is always: was personal information accessed or disclosed, and could that cause serious harm to individuals?

How do I build a data breach response plan for my small business?

Start with five elements: define your incident response team and their roles; build an offline contact register with your insurer, legal counsel, IT provider, and OAIC contact details; pre-draft notification templates for clients, staff, and the OAIC; document your evidence preservation procedures; and define your internal breach classification criteria so staff know what to report and to whom. Test the plan with a tabletop exercise before you need it. Our managed cybersecurity team can guide you through this process — contact us today to get started.