Notifiable Data Breach Response for Brisbane SMBs After a Ransomware Incident: Work Out What You Owe the OAIC, and to Whom

It is Tuesday morning and half your shared drives are encrypted. There is a ransom note on three workstations, your accounts system will not open, and someone has just realised the backups have not been verified since last year. The attackers are claiming they exfiltrated customer records before they encrypted. You are now sitting with two questions at once: how do we get the business back, and do we have to tell the OAIC and our customers? Notifiable Data Breach Response from Cyber by Exegesis is the fixed-scope engagement that answers the second question — properly, on the statutory clock, and in writing.

The problem

Ransomware is the top SMB cyber loss category in Australia by impact, and modern ransomware crews almost always claim to have exfiltrated data before encrypting. Under Part IIIC of the Privacy Act 1988, if your organisation is covered by the Privacy Act and a ransomware incident has resulted in unauthorised access to or disclosure of personal information that is likely to result in serious harm, you have an obligation under the OAIC Notifiable Data Breaches scheme to notify the OAIC and affected individuals — and the clock on the assessment is short.

Most Brisbane SMBs in the middle of a ransomware incident are doing three things at once: trying to restore from backup, talking to their cyber insurer, and asking their MSP what happened. Almost nobody is running a clean, documented assessment of whether the incident is an eligible data breach under the NDB scheme. That gap is where the regulatory exposure compounds — late or absent notification is itself a problem, separately from the ransomware.

What Notifiable Data Breach Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement focused on the NDB obligation, not on the technical recovery:

• A scope assessment under the OAIC NDB scheme — what personal information was held in the affected systems, what the attacker is credibly claiming, and what the forensic record (yours or your IR firm’s) actually shows.
• An eligible-data-breach determination, documented — does the incident meet the statutory threshold of “likely to result in serious harm”, with the reasoning written down for your board, your insurer, and the OAIC.
• Drafting of the affected-individual notification — plain English, ACSC-aligned remediation steps customers can actually take, and a tone that respects the people whose data was taken.
• Preparation and submission of the OAIC notification through the regulator’s form, with you in the loop on every line.
• A short written record of the assessment process — the artefact your insurer and your board will both ask for later.

Cyber by Exegesis is the cyber consultancy line of Exegesis, alongside the DRMO live product. On NDB response, we sit alongside your incident responder and your lawyer — we do not replace either. Our scope is the regulatory assessment and the notification, done cleanly.

How it works

1. We take the engagement on a same-day call, confirm scope, and ask you for the incident timeline, the IR firm’s report (if one exists yet), and a list of systems and data stores affected.
2. We map the affected data against the personal-information definitions in the Privacy Act and produce a draft scope-of-breach document within 48 hours.
3. We work through the eligible-data-breach test with you and your lawyer, document the reasoning, and confirm the notification decision in writing.
4. We draft the affected-individual notification and the OAIC submission in parallel, and walk you through both before anything is sent.
5. We submit the OAIC notification with you and hand over the full written record for your insurer, board, and future audit.

Why this matters in Brisbane

Brisbane’s SMB base — construction, logistics, healthcare allied services, professional services for the resources sector — holds significant volumes of customer and contractor personal information, often in systems that were never designed with the NDB scheme in mind. When a Queensland SMB gets hit with ransomware, the technical recovery usually gets attention first and the OAIC obligation gets attention late, if at all. A clean, documented NDB assessment within the statutory window protects the business from a second regulatory incident layered on top of the first one — and gives affected customers in Brisbane the notification they are entitled to under federal law.

Sources

• OAIC Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (for post-incident hardening recommendations referenced in the written record): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Brisbane SMBs

We sequence NDB response engagements by incident timing and sector. If you are mid-incident now, flag it on the waitlist form — we triage live incidents ahead of preventive enquiries. Otherwise, join the waitlist with your sector and approximate headcount so we can be ready when you need us.