Notifiable Data Breach Response for Perth SMBs After a Ransomware Incident: Get the OAIC Notification Right Under Pressure

Your Monday morning starts with a phone call from your office manager: nothing is opening, the file server is showing a ransom note, and your bookkeeper’s laptop is displaying the same screen. The IT provider is already on the line talking about backups and rebuild timelines. But there is a second clock running that nobody in the room is watching yet — the OAIC clock. If customer or employee personal information was on those encrypted systems (and it almost certainly was), you may have an eligible data breach on your hands, and the Privacy Act gives you a tight window to assess and notify. Notifiable Data Breach (NDB) Response from Cyber by Exegesis is the engagement that runs that second clock for you while your IT provider handles the rebuild.

The problem

Ransomware is the top cyber loss category for Australian SMBs by impact, and most Perth SMBs treat it as a pure IT incident — restore from backup, pay or don’t pay, move on. The OAIC Notifiable Data Breaches scheme says otherwise. Under Part IIIC of the Privacy Act 1988, if personal information held by your business was accessed or disclosed in a way likely to result in serious harm, you have an obligation to assess the breach expeditiously (and generally within 30 days) and notify both the OAIC and affected individuals.

The hard part is not the form. The hard part is the assessment: did the attackers exfiltrate data before encryption, or only encrypt? Which individuals are affected, and what fields? Is the likely harm “serious” within the meaning of the scheme? Most Perth SMBs reach for a privacy lawyer at this point and discover the lawyer wants a forensic statement of facts that nobody has written yet. Meanwhile the 30-day clock is ticking, the ACSC Small Business Cyber Security Guide is being read for the first time, and your staff are guessing at what to tell customers who are starting to ask questions.

What Notifiable Data Breach Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement targeting the OAIC NDB obligation specifically:

• A scope-assessment workshop within 48 hours of engagement — what systems were touched, what categories of personal information they held, and what evidence exists of exfiltration versus encryption-only.
• An eligible-data-breach determination written against the OAIC’s “likely to result in serious harm” test, with the reasoning documented so your board, your insurer, and your lawyer all see the same analysis.
• Drafting of the affected-individual notification — plain English, with the elements the OAIC expects (description of the breach, kinds of information involved, recommended steps for individuals).
• Drafting and submission support for the OAIC notification via the Notifiable Data Breach form.
• A short written report capturing the timeline, the determination, the notifications sent, and the residual obligations you carry forward.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the regulatory response layer. We are not your incident responder, your forensic firm, or your privacy lawyer; we coordinate with all three and we own the OAIC-facing deliverable.

How it works

1. We take the engagement on a same-day call, confirm scope, and ask for a short written briefing from your IT provider or forensic firm on what is known.
2. We run the scope-assessment workshop (60–90 minutes) with you, your IT lead, and ideally your lawyer to build the factual baseline.
3. We draft the eligible-data-breach determination and walk you through it — this is the document everything else flows from.
4. We draft the individual notification and the OAIC submission in parallel, and you (or your lawyer) sign them off.
5. We submit (or support your submission) and hand you the written report with the 30-day, 60-day, and 12-month obligations clearly marked.

Why this matters in Perth

Perth SMBs sit in a market with heavy concentrations in mining services, professional services, and healthcare — all sectors that hold sensitive personal information and all sectors that have appeared in ACSC and OAIC reporting on ransomware-driven breaches. The time-zone gap with the eastern states matters here too: a Perth SMB hit on a Friday afternoon often loses the first 48 hours of the OAIC clock simply because eastern-states advisers are unreachable. A Perth-aware engagement that starts the assessment immediately is the difference between a clean, defensible notification and a late one that the OAIC asks questions about.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (for post-incident hardening context): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Perth SMBs

We are sequencing engagements by sector and by incident type (ransomware first, BEC-linked breaches second). Join the waitlist with your sector and a one-line description of your data holdings — we will tell you when we are ready to take a brief from your business, and we will flag the engagement as priority if you contact us mid-incident.