Data Breach Response | privacysorted.com.au

Your 30-day timeline

Day 1-3: Contain the breach and begin your initial assessment. Preserve evidence. Do not delete anything.
Day 3-10: Investigate the full scope. Identify all affected individuals and data types. Document everything.
Day 10-25: Prepare your notification to the OAIC and affected individuals. Draft communications.
Day 25-30: Submit your notification to the OAIC and notify affected individuals. The 30-day clock starts when you become aware of the breach.

Immediate actions

Isolate affected systems or accounts immediately
Change passwords and revoke access for compromised accounts
Preserve all logs, emails, and evidence (do not delete anything)
Document exactly what happened, when, and who was involved
Identify all individuals whose data may have been affected
Assess whether serious harm to any individual is likely
Brief your privacy officer or practice principal
Contact your cyber insurance provider (if applicable)

Report to the Notifiable Data Breaches scheme at oaic.gov.au

Important: This is guidance only, not legal advice. The assessment above is based on your inputs and the general criteria of the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. For serious breaches, contact legal counsel immediately. You have 30 days from becoming aware of a breach to complete your assessment and notify the OAIC if required.