Skip to main content
Crisis PRReputation Management

Data Breach Crisis Communications: What Australian Companies Must Do

By June 30, 2026No Comments

A data breach is one of the fastest-moving crises an Australian organisation can face. It is both a reputation risk if executed badly, and an opportunity if executed well. Regulatory obligations kick in within 30 days. Customers want answers within hours, sometimes minutes. Journalists may know before you do. And every decision made in the first 24 hours – what to say, to whom, through which channels – shapes both the legal outcome and the reputational one.

Data breach crisis communications is a specialist discipline. It sits at the intersection of legal strategy, regulatory compliance, and public communications. Getting one right without the others is not enough.

The author – Peter Wilkinson

The author – Peter Wilkinson

The First 24 Hours After a Data Breach

The first 24 hours of data breach crisis communications are the most consequential. The decisions made, or not made, in this window determine how the event is framed, how regulators respond, and whether the organisation’s response is seen as responsible or evasive.

The moment a data breach is confirmed, or reasonably suspected, four things must happen simultaneously:

Data breach response in Australia is not a communications problem with a legal dimension. It is a communications, legal, and regulatory problem that must be managed as one.

Who Needs to Be Told and When

One of the most consequential decisions in data breach crisis communications is sequencing, who is notified, in what order, and through which channel. Getting this wrong creates a second story: that the organisation told the wrong people first, or told some people before others.

Who When Why / Notes
Your board Immediately A data breach is a board-level governance event. The board needs to be informed before any external communication.
Your legal team Immediately As above. Legal strategy and communications strategy must be developed together from the outset.
The OAIC Within 30 days of becoming aware of an eligible data breach Required under the Notifiable Data Breach (NDB) scheme. The form is available at oaic.gov.au. If there is a risk of serious harm, notification should be expedited.
Affected individuals Sometimes immediately, or as soon as practicable after notifying OAIC Required under the NDB scheme if the breach is likely to result in serious harm. The notification must include what happened, what data was affected, and what steps individuals can take.
Sector regulators Depends on your industry APRA-regulated entities, ASX-listed companies, and health service providers may have additional notification obligations and timelines.
Media Sometimes immediately as a way to reach affected customers. Sometimes, when ready. Never notify media before regulators and before affected individuals, unless the media is the communications channel. Speak to your customers through the media. Do not speculate.

What to Say and What Not to Say

The language used in the first statement is the language that defines the event. It is the language journalists quote, regulators remember, and affected individuals share. Cyber breach communications demands precision, not legal hedging, not corporate speak, and not false reassurance.

Regulatory Obligations Under Australian Law

Australia’s Notifiable Data Breach (NDB) scheme, which operates under the Privacy Act 1988, requires organisations covered by the Act to notify both the OAIC and affected individuals when a data breach is likely to result in serious harm.

How Wilkinson Group Helps

Wilkinson Group provides data breach crisis communications counsel to Australian CEOs, internal PR, boards, and general counsel. When a breach occurs, we work alongside your legal team to develop the communications strategy for regulators, affected individuals, employees, and the media. That is both legally defensible and reputationally sound.

Peter Wilkinson has advised Australian organisations through data breaches, cyber incidents, and regulatory investigations since the earliest high profile breach in 2017/8. He spent 30 years as a journalist before moving into crisis PR which means he understands exactly how the media will approach the story, and how to stay ahead of it.

If you are dealing with a data breach right now

Call Peter Wilkinson directly: +61 414 383 433
Available 24/7 · wilkinson-group.com.au