Notifiable Data Breach Response for Sydney SMBs After a Ransomware Incident: Get the OAIC Notification Right Under Pressure

Your file server is encrypted. A ransom note sits on every desktop. Your IT provider is trying to restore from backup, your director is on the phone to the insurer, and somewhere in the back of your mind is the question nobody wants to ask out loud: did the attackers take a copy of the data before they encrypted it, and if they did, do we have to tell the OAIC and every customer whose details were in those files? Notifiable Data Breach (NDB) Response from Cyber by Exegesis is the engagement designed to answer that question correctly, within the timeframes the Privacy Act expects, while your team is still in crisis mode.

The problem

Ransomware is consistently the highest-impact cyber loss category for Australian SMBs, and modern ransomware is rarely just encryption — attackers exfiltrate data first and use the threat of publication as a second lever. Under the OAIC Notifiable Data Breaches scheme, that exfiltration changes the legal posture of the incident. If personal information was accessed or disclosed in a way that is likely to result in serious harm, and the organisation cannot prevent that harm through remedial action, the breach is an “eligible data breach” under Part IIIC of the Privacy Act 1988 — and notification to the OAIC and to affected individuals is required.

Most Sydney SMBs hit by ransomware do not have a privacy officer, have never read the NDB guidance, and are trying to make a notification call in the same 72 hours they are trying to restore operations. The result is either over-notification (which damages customer trust unnecessarily) or under-notification (which creates a regulatory problem on top of the incident itself). The ACSC Small Business Cyber Security Guide is clear that incident response and breach notification are separate workstreams — and most SMBs only have capacity for one.

What NDB Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement focused entirely on the notification workstream:

• A scope assessment under the OAIC NDB scheme, working from your IT provider’s forensic findings to determine what personal information was accessed, disclosed, or lost.
• An eligible-data-breach determination — the structured analysis of whether the access is likely to result in serious harm, and whether remedial action can prevent that harm before notification is triggered.
• Drafting of the OAIC notification statement using the form and content the scheme requires.
• Drafting of the affected-individual notification — plain English, written for the customer rather than the regulator, with practical steps they can take.
• Submission of the OAIC notification on your behalf and a short written record of decisions taken (which matters if the OAIC later asks how you reached your conclusion).

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the notification workstream only. We are not your incident responder, your forensic investigator, or your IT recovery team; we work alongside whoever is filling those roles and take the privacy obligation off their desk.

How it works

1. We take a 30-minute intake call as soon as you engage us — what happened, when you became aware, what systems and what data are in scope, who is doing the forensics.
2. We build the data-type inventory from your forensic provider’s findings and your own records, mapping what personal information is implicated.
3. We run the eligible-data-breach test against the OAIC’s published criteria and document the reasoning, including whether remedial action removes the likelihood of serious harm.
4. If the breach is notifiable, we draft both notifications (OAIC and affected individuals), review with your director and legal counsel, and submit to the OAIC.
5. We leave you with a written record of the assessment and notifications, plus a short brief on the 30-day reasonable-assessment window if the picture is still developing.

Why this matters in Sydney

Sydney concentrates Australia’s professional services, financial services, and healthcare-adjacent SMBs — exactly the businesses that hold customer PII at volume and exactly the businesses ransomware operators target. A Sydney SMB hit by ransomware is far more likely than the national average to also be a covered entity under the NDB scheme, either because turnover exceeds the $3M threshold or because the sector (health, credit, TFN handling) brings them in regardless. Getting the notification workstream right — neither under-notifying and creating regulatory exposure, nor over-notifying and burning customer relationships — is the difference between a recoverable incident and a compounding one.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (for post-incident hardening context): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Sydney SMBs

We are sequencing engagements by sector and by incident posture (active incidents prioritised over retrospective reviews). Join the waitlist with your sector and a brief note on your current situation — we will tell you when we are ready to take a brief from your business.