1300 688 648 Get In Touch
BackView All
View All Services

Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance

If your business has just discovered a data breach, the next 72 hours will define your legal exposure, your recovery timeline, and how much damage you can actually limit. Act in the right order, and you will meet your obligations under Australian law, contain the incident, and protect your clients. Miss the window, and the costs multiply fast. This guide gives you the exact response timeline your business needs right now.

Why the First 72 Hours Matter So Much

Three things happen in parallel during a data breach, and all three are time-sensitive. First, the attacker may still be inside your systems. Every hour without containment is another hour they can extract data, escalate access, or plant backdoors. Second, evidence degrades. Logs get overwritten, volatile memory is lost, and forensic trails disappear. Third, your legal obligations under Australia’s Notifiable Data Breaches (NDB) scheme begin ticking the moment you become aware of an eligible breach.

Under the Privacy Act 1988, businesses covered by the NDB scheme must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware of an eligible breach. There is no fixed 72-hour deadline written into Australian law, unlike the GDPR in Europe. However, regulatory guidance makes clear that delays of weeks or months are unacceptable. Realistically, most organisations will complete their initial assessment and begin notification within 72 hours of discovery.

The 72-hour window is also when you have the most control. After that, the situation is increasingly shaped by regulators, media, and the affected individuals themselves.

Hour 0 to 4: Contain the Incident Immediately

The first four hours are about stopping the bleeding. Do not try to fully understand what happened yet. That comes later. Right now, your only priority is containment.

Isolate affected systems

Disconnect compromised devices from your network. This means physically unplugging ethernet cables or disabling Wi-Fi adapters where possible. Do not simply shut the devices down. Powered-off systems lose volatile memory, which may contain evidence of how the attacker got in and what they did. Isolation without shutdown preserves that evidence.

If the breach involves a cloud service or SaaS application, revoke active sessions and API tokens. Change administrative credentials immediately. Enable multi-factor authentication on any accounts where it is not already active.

Call your IT provider now

This is not the time to manage the incident internally unless you have a dedicated security team with incident response experience. Your managed security provider should have an incident response process ready to activate. If you do not have one, this is the moment that gap becomes very expensive.

When you call, tell them: when you discovered the breach, what systems appear to be affected, and what you have done so far. Do not take further containment actions without their guidance, as some well-intentioned steps can destroy evidence or make the situation worse.

Do not wipe anything

The instinct to wipe and rebuild affected systems is understandable. Resist it. You need forensic evidence to understand the full scope of the breach, meet your legal obligations, and prevent the same attack from recurring. Wiping systems prematurely can also look like evidence destruction to regulators, which creates additional legal risk.

Start your incident log

Open a document right now and start recording everything. Timestamp every action, every decision, and every person involved. This log will be essential for your OAIC notification, any legal proceedings, and your own post-incident review. If you use Microsoft 365, Copilot can help you structure and draft this incident timeline as events unfold, which is particularly useful when multiple team members are contributing information at once.

Hour 4 to 24: Assess the Scope

Once containment is underway, your IT provider and internal team need to determine the actual extent of the breach. This assessment drives every decision that follows.

What data was accessed or exfiltrated?

Work through your systems to identify what data was accessible to the attacker and what evidence exists that it was actually taken. The key categories under the NDB scheme are personal information, financial information, health information, government identifiers, and sensitive information as defined under the Privacy Act.

The distinction matters. A breach involving employee names and work email addresses may not trigger mandatory notification. A breach involving client tax file numbers, health records, or financial account details almost certainly will.

How many individuals are affected?

Volume matters for triage, but it does not change the notification obligation. Even a breach affecting one person can be notifiable if the information is sensitive and the risk of serious harm is real. Document your count accurately.

Which systems were compromised?

Map out every system the attacker touched. Check adjacent systems that were not the primary target but may have been accessed during lateral movement. Review authentication logs, access logs, and any available endpoint detection data. Your IT provider should lead this analysis.

How did they get in?

Identifying the initial access vector is critical for two reasons. First, if the vulnerability is still open, containment is not complete. Second, you need this information for your OAIC notification and for the post-incident remediation plan.

Hour 24 to 48: Make Your Notification Decisions

By this point, you should have enough information to make a preliminary determination about your notification obligations. This is where the legal dimension of the incident becomes front and centre.

Does the NDB scheme apply to your business?

The NDB scheme applies to organisations covered by the Privacy Act. This includes Australian Government agencies, businesses with an annual turnover above $3 million, and some smaller businesses in specific sectors such as health service providers, credit providers, and those that trade in personal information. If you are unsure whether your business is covered, your legal counsel should confirm this immediately.

Is this an eligible data breach?

An eligible data breach under the NDB scheme has three elements. There must be unauthorised access to or disclosure of personal information (or the information must be lost in circumstances where access or disclosure is likely). The breach must be likely to result in serious harm to one or more individuals. And the organisation must not have been able to prevent the likely occurrence of serious harm.

Assessing serious harm requires you to consider the type of information, the sensitivity of that information, whether it is protected by security measures, who may have obtained it, and the likely purposes for which it will be used. For a deeper walkthrough of the formal notification requirements, see our guide on data breach notification for Australian businesses.

Prepare your OAIC notification

If you have determined this is an eligible breach, begin preparing your notification to the OAIC. The OAIC’s online form requires you to provide the name and contact details of your organisation, the type of information involved, the number of individuals affected, a description of what happened, and the steps you have taken or plan to take in response.

Copilot and AI writing tools can meaningfully accelerate this process. You can use them to draft the incident description from your log notes, check your narrative for clarity, and ensure you have covered all required fields. Human review and sign-off is still required before submission, but AI drafting can save hours when you are operating under pressure.

Hour 48 to 72: Notify, Communicate, and Document

The final phase of the initial 72-hour response involves outward communication and completing your documentation. By now, containment should be stable, the scope assessment should be substantially complete, and notification decisions should be made.

Notify affected individuals

Where you have determined that individuals are at risk of serious harm, you must notify them directly. Your notification should include: a description of the breach, the kind of information involved, what you recommend they do to protect themselves, and your contact details for further questions.

The tone of this communication matters. People are receiving news that their personal information may be in the wrong hands. Be clear, be honest, and give them actionable steps. Avoid corporate language that minimises the situation or makes it harder for individuals to understand what happened.

Communicate with clients and stakeholders

Beyond the formal notification to affected individuals, you will need to communicate with clients, partners, and possibly your own staff. Tailor each communication to what that audience needs to know and what they are likely to ask. Your managed security provider and legal counsel should review client-facing communications before they go out.

Prepare for inbound enquiries. Designate a single point of contact for breach-related questions and brief them thoroughly. Nothing erodes trust faster than an inconsistent story from different parts of the business.

Complete your incident documentation

Your incident log should now be a comprehensive record of the breach from discovery to this point. Document the timeline of events, every containment and remediation action taken, every decision made and by whom, and all communications sent. This documentation serves multiple purposes: it supports your OAIC notification, it demonstrates to regulators that you acted appropriately, and it forms the foundation of your post-incident review.

What Not to Do After a Data Breach

Several responses feel intuitive but will make your situation significantly worse.

Do not pay a ransom. Ransom payment does not guarantee data recovery or deletion. It funds criminal operations and may place you in breach of sanctions laws if the recipient is a sanctioned entity. Engage your IT provider and legal counsel before considering any payment.

Do not delete logs or wipe systems prematurely. As noted above, this can constitute evidence destruction. Regulators and courts take a dim view of it, and it will undermine your ability to understand and remediate the breach.

Do not delay notification. The temptation to wait until you have complete information is understandable, but regulators expect you to act on what you know and update as you learn more. Prolonged silence while an investigation continues is not a defensible position.

Do not stay silent internally. Your CEO, your legal counsel, and your board need to know. Keeping the incident contained to IT while the business operates normally is not crisis management. It is a liability.

Do not communicate with attackers without guidance. If you receive ransom demands or other communications from the attacker, document them and involve your IT provider and legal counsel before responding.

How to Prepare Before a Breach Happens

The businesses that respond well to data breaches are almost always the ones that prepared before it happened. If you are reading this guide outside of an active incident, use this time well.

Develop and test an incident response plan before you need it. The plan should identify who does what, how decisions are made, and who has authority to take systems offline if needed. Run a tabletop exercise once a year to test whether it actually works.

Know your data. You cannot assess the scope of a breach if you do not know what data you hold, where it is stored, and who has access to it. A data mapping exercise is not glamorous, but it is foundational.

Invest in detection. You cannot respond to a breach you have not detected. Endpoint detection and response tools, security information and event management systems, and managed security monitoring all reduce the time between compromise and discovery. That time difference is often measured in months. Closing it to hours changes your outcome dramatically.

Engage a managed security partner now, not after an incident. Your managed cybersecurity provider should know your environment, your systems, and your obligations before they are called in at 2am during a crisis.

Ready to Build Your Breach Response Plan?

The 72-hour response window is manageable with the right preparation and the right support in place. If your business does not yet have an incident response plan, or if you are not confident your current plan will hold up under pressure, now is the time to address it.

Book a cybersecurity assessment with the Otto IT team and we will review your current posture, identify your notification obligations, and help you build a response plan that works when it matters most.

Frequently Asked Questions

Is there a legal 72-hour deadline for data breach notification in Australia?

No. Unlike the European GDPR, Australian law under the Privacy Act and the NDB scheme does not specify a fixed 72-hour notification deadline. However, the OAIC expects organisations to notify as soon as practicable after becoming aware of an eligible breach. In practice, most organisations should be able to complete their initial assessment and begin notification within 72 hours of discovery. Delays of weeks or months without good reason can result in regulatory action.

What is the NDB scheme and does it apply to my business?

The Notifiable Data Breaches scheme was introduced under the Privacy Act 1988 and requires covered entities to notify the OAIC and affected individuals when an eligible data breach occurs. It applies to Australian Government agencies, businesses with annual turnover above $3 million, and certain smaller businesses in sectors including health, credit, and tax. If you are unsure whether the scheme applies to your organisation, seek legal advice promptly.

What counts as an eligible data breach under Australian law?

An eligible data breach has three components: unauthorised access to or disclosure of personal information (or loss of personal information where access or disclosure is likely), a likelihood of serious harm to one or more individuals as a result, and an inability to prevent that serious harm from occurring. All three elements must be present for the mandatory notification obligation to be triggered.

Should I call the police after a data breach?

If you have reason to believe a crime has been committed, which includes most ransomware attacks and deliberate data theft, you should report the incident to the Australian Federal Police or your state police. This does not replace your obligations under the NDB scheme. Both can and should happen in parallel where relevant.

How can AI tools like Copilot help during a breach response?

AI tools can help in several practical ways during a breach response. They can assist with drafting your incident timeline from raw notes, help structure your OAIC notification, draft client communications for human review, and summarise technical findings into plain language for executive briefings. They cannot replace the judgement of your IT team and legal counsel, but they can significantly reduce the administrative burden during a high-pressure situation.

What is the difference between this guide and a general notification guide?

This guide focuses specifically on the response timeline in the first 72 hours after discovery. For a detailed breakdown of the formal OAIC notification requirements, thresholds, and the mechanics of the NDB scheme, see our dedicated guide on data breach notification for Australian businesses.

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More