A data breach is one of the fastest-moving crises an Australian organisation can face. It is both a reputation risk if executed badly, and an opportunity if executed well. Regulatory obligations kick in within 30 days. Customers want answers within hours, sometimes minutes. Journalists may know before you do. And every decision made in the first 24 hours – what to say, to whom, through which channels – shapes both the legal outcome and the reputational one.
Data breach crisis communications is a specialist discipline. It sits at the intersection of legal strategy, regulatory compliance, and public communications. Getting one right without the others is not enough.

The author – Peter Wilkinson
The First 24 Hours After a Data Breach
The first 24 hours of data breach crisis communications are the most consequential. The decisions made, or not made, in this window determine how the event is framed, how regulators respond, and whether the organisation’s response is seen as responsible or evasive.
The moment a data breach is confirmed, or reasonably suspected, four things must happen simultaneously:
- Contain the breach. Work with your IT and cybersecurity team to stop further unauthorised access. Document what happened and when.
- Engage legal counsel. Data breach response in Australia is legally complex. Your lawyers need to be across the situation before any public statement is made.
- Engage crisis communications counsel. Cybersecurity crisis PR is a distinct specialisation. The adviser needs to be aligned with your legal team, not working around them.
- Begin your notification assessment. Under Australia’s Notifiable Data Breach scheme, the clock starts from when you suspect a breach may have occurred, not when it is confirmed.
Data breach response in Australia is not a communications problem with a legal dimension. It is a communications, legal, and regulatory problem that must be managed as one.
Who Needs to Be Told and When
One of the most consequential decisions in data breach crisis communications is sequencing, who is notified, in what order, and through which channel. Getting this wrong creates a second story: that the organisation told the wrong people first, or told some people before others.
| Who | When | Why / Notes |
|---|---|---|
| Your board | Immediately | A data breach is a board-level governance event. The board needs to be informed before any external communication. |
| Your legal team | Immediately | As above. Legal strategy and communications strategy must be developed together from the outset. |
| The OAIC | Within 30 days of becoming aware of an eligible data breach | Required under the Notifiable Data Breach (NDB) scheme. The form is available at oaic.gov.au. If there is a risk of serious harm, notification should be expedited. |
| Affected individuals | Sometimes immediately, or as soon as practicable after notifying OAIC | Required under the NDB scheme if the breach is likely to result in serious harm. The notification must include what happened, what data was affected, and what steps individuals can take. |
| Sector regulators | Depends on your industry | APRA-regulated entities, ASX-listed companies, and health service providers may have additional notification obligations and timelines. |
| Media | Sometimes immediately as a way to reach affected customers. Sometimes, when ready. | Never notify media before regulators and before affected individuals, unless the media is the communications channel. Speak to your customers through the media. Do not speculate. |
What to Say and What Not to Say
The language used in the first statement is the language that defines the event. It is the language journalists quote, regulators remember, and affected individuals share. Cyber breach communications demands precision, not legal hedging, not corporate speak, and not false reassurance.
- Acknowledge that an incident has occurred and that you are investigating.
State clearly what is known and what is not yet known. - Describe what steps the organisation has taken to contain the breach. Be empathetic.
- Tell affected individuals specifically what data was involved. Customers may be anxious.
- Explain what individuals should do to protect themselves.
- Provide a point of contact a dedicated email or phone number for enquiries.
- Do not say “We take your privacy seriously” without specific action behind it, it is now widely recognised as empty language. Same with saying “Sorry” or any other apology.
- Do not speculate on the source of the breach before it is confirmed.
- Do not minimise: avoid phrases like “a small number of records” if the number is not yet known.
- Do not make promises about what will happen that you cannot guarantee.
- Do not issue any statement before it has been reviewed by legal counsel.
Regulatory Obligations Under Australian Law
Australia’s Notifiable Data Breach (NDB) scheme, which operates under the Privacy Act 1988, requires organisations covered by the Act to notify both the OAIC and affected individuals when a data breach is likely to result in serious harm.
- Timeframe: Notify the OAIC as soon as practicable. The legislation anticipates notification within 30 days of becoming aware of an eligible data breach.
- Serious harm test: The NDB scheme applies when a breach is likely to result in serious harm to any individual whose data was involved. “Likely” means more probable than not.
- OAIC notification: Submit a data breach notification form to the OAIC. The form requires a description of the breach, the data involved, and the steps taken in response. This is OAIC communications, It must be accurate, complete, and submitted promptly.
- Individual notification: Affected individuals must be notified directly, by email, letter, or through a prominent notice on the organisation’s website if direct contact is not possible.
- Sector-specific obligations: APRA-regulated entities (banks, insurers, superannuation funds) have additional obligations under the CPS 234 cybersecurity standard. ASX-listed companies may have continuous disclosure obligations. Health service providers are subject to the My Health Records Act.
How Wilkinson Group Helps
Wilkinson Group provides data breach crisis communications counsel to Australian CEOs, internal PR, boards, and general counsel. When a breach occurs, we work alongside your legal team to develop the communications strategy for regulators, affected individuals, employees, and the media. That is both legally defensible and reputationally sound.
- Immediate availability. 24/7 when a breach is active.
- Communications strategy aligned with your legal position, including risk assessment.
- Drafting of all external statements, OAIC communications, and individual notifications.
- Media management, including holding statements, spokesperson preparation, and journalist relationship and enquiry management.
- Employee communications: internal briefings to contain information and maintain trust.
- Post-incident reputation management: restoring trust over the months following the event.
Peter Wilkinson has advised Australian organisations through data breaches, cyber incidents, and regulatory investigations since the earliest high profile breach in 2017/8. He spent 30 years as a journalist before moving into crisis PR which means he understands exactly how the media will approach the story, and how to stay ahead of it.
If you are dealing with a data breach right now
Call Peter Wilkinson directly: +61 414 383 433
Available 24/7 · wilkinson-group.com.au