ServicesAbout UsCase studiesBlogContact Us
Get in touch

The Right Way to Handle a Data Breach: Notify, Contain, Prevent

by

For business owners and managers, facing a data breach is a situation you hope never to deal with, but must be prepared for. A data breach happens when personal or sensitive information your organisation holds is accessed, shared, or lost without proper authorisation. It could be something as simple as a staff member sending an email to the wrong recipient or as serious as a cyberattack on your internal systems.

Data breaches can have serious consequences—not just for those affected but for your business’s legal standing and reputation. That’s why it’s vital to understand your obligations to notify both regulators and individuals, and to have a clear plan in place for how to respond.

In this guide, we’ll break down your responsibilities under Australia’s Notifiable Data Breach (NDB) Scheme and the practical steps you should take immediately after a breach occurs

What Is the Notifiable Data Breach Scheme?

The Notifiable Data Breach (NDB) Scheme is part of Australia’s Privacy Act 1988. It applies to organisations known as APP entities, including most:

  • Businesses with over $3 million in annua
  • Health service providers or organisations handling health records
  • Companies that buy or sell personal information
  • Contractors servicing Commonwealth government contracts

Even if your business doesn’t fall into these categories, you can still choose to comply voluntarily.

Under this scheme, if your business experiences a data breach that is likely to result in serious harm, you must notify:

  • The Office of the Australian Information Commissioner (OAIC)
  • The individuals affected by the breach

Let’s walk through how to handle that process.

Step 1: Contain the Breach Immediately

As soon as you become aware of a potential or confirmed breach, your priority should be to stop further exposure and limit the damage.

Here’s what to do:

  • Isolate affected systems (e.g. shut down compromised servers or user accounts)
  • Revoke access where appropriate (such as for lost devices or compromised credentials)
  • Preserve evidence for internal investigation and legal reporting
  • Consult your tech/security teams to assess how the breach occurred and prevent further spread

The exact actions you take will depend on the nature of the breach—but speed is essential.

Step 2: Assess the Risk and Determine If the Breach Is Notifiable

Not every data breach must be reported. You need to assess whether the breach meets the criteria of an “eligible data breach” under the NDB Scheme. A breach is notifiable if:

  1. There was unauthorised access to, disclosure of, or loss of personal information
  2. The breach is likely to cause serious harm to the individuals involved
  3. You cannot prevent the harm through remedial action

What counts as “serious harm”?

Serious harm can be:

  • Financial (e.g., fraud or identity theft)
  • Emotional or psychological
  • Reputational

Consider these risk factors:

  • Is the information sensitive (e.g. health data, ID documents, financial details)?
  • Was the data adequately protected at the time?
  • Could malicious parties exploit the information?
  • How likely is it that someone will suffer harm?

For example, if a customer’s financial information is accessed and used to make fraudulent purchases, that clearly qualifies as a notifiable breach.

Step 3: Notify Affected Parties and the OAIC

If the breach is assessed as notifiable, you must promptly notify both:

  • The OAIC
  • All individuals affected by the breach

What should you include in your notification?

Your communication should contain:

  • A clear description of the breach—what happened and when
  • The types of information affected
  • The potential consequences for individuals
  • The steps you’re taking to manage the incident
  • Recommendations for individuals to protect themselves (e.g. change passwords, monitor accounts)

How should you notify individuals?

  • Direct channels are best—use email, phone, or in-app notifications if possible
  • If direct contact isn’t feasible, publish a public notice on your website or in a prominent location
  • Make sure your message is simple and accessible—avoid technical or legal jargon

Step 4: Implement Measures to Prevent Future Breaches

Once the immediate risk is addressed, focus on prevention. This isn’t just about compliance—it’s about protecting your business from repeat incidents.

Create or update a Data Breach Response Plan (DBR Plan) that includes:

  • Roles and responsibilities during a breach (e.g., who leads, who reports)
  • A checklist of immediate actions for different types of incidents
  • A process for logging and reviewing all breaches
  • Training programs for staff to avoid common security mistakes
  • Post-incident reviews to identify security gaps and update policies

Businesses that recover well from breaches are often those that were already prepared.

Key Takeaways

  • Data breaches are a growing risk—no business is too small to be targeted or impacted.
  • If a breach involves personal information and may result in serious harm, you may be legally required to notify both the OAIC and your customers.
  • Acting quickly, communicating clearly, and having a tested breach response plan are crucial to limiting legal, financial, and reputational damage.
  • Prevention and preparation are just as important as response.

Need Help With a Breach Notification?

Handling a data breach is high-pressure, high-stakes work. Don’t leave it to chance.

At Bare Media, we help businesses create fast, clear, and legally-compliant breach notifications and guide them through distribution strategies that minimise fallout and protect their reputation.

ISO Certified Company International Organization for Standardizationindependent, third-party accreditation
Information

Blog

About us

Case studies

Contact Us

Terms & Conditions

Privacy Policy

© 2025 Bare Media Pty Ltd.
All rights reserved