The first 72 hours of a data breach decide most of what follows: how far the attacker gets, whether the evidence survives, whether the regulator sees a competent response or a scramble, and how much of the story the organisation gets to tell in its own words. This is the hour-by-hour sequence Frontrow works through with Australian mid-market organisations, written to be lifted into an incident response plan before it is needed. The legal frame underneath it is the Privacy Act 1988's Notifiable Data Breaches (NDB) scheme, plus newer reporting obligations noted below.
Hour 0–1: contain, and start the log
- Isolate affected systems: disable compromised accounts, revoke active sessions and tokens in Microsoft Entra ID, isolate affected endpoints in Defender. Contain first, investigate second.
- Do not wipe or rebuild anything yet. Reimaging a compromised laptop in hour one destroys the forensic record the insurer, investigators and regulator will all want.
- Start a timestamped incident log immediately: who found what, when, and every action taken. This log becomes the backbone of the OAIC statement, the insurance claim and the board report.
- Declare the incident internally and name a single incident lead. Committees do not contain breaches.
Hour 1–4: assemble and notify inward
- Stand up the response team: incident lead, IT/security, legal or privacy officer, communications, and the executive owner. Small organisations may hold four of those hats on two heads; name them anyway.
- Call the cyber insurer's hotline before commissioning external help. Most policies require notification before costs are incurred, and many appoint their own forensic panel.
- Engage legal advice early if personal information is plausibly involved. Legal professional privilege over the investigation is a decision for hour two, not day five.
- Move sensitive coordination off the potentially compromised tenant if account compromise is suspected: an out-of-band channel such as phone or Signal, until identity is verifiably clean.
Hour 4–24: scope, evidence, and external reporting
- Establish what data was actually touched. Entra ID sign-in logs, the unified audit log in Purview, mailbox audit records and Defender timelines answer the question 'what could this account reach, and what did it reach'. This scoping determines every legal obligation that follows.
- Preserve evidence deliberately: export relevant logs before retention windows roll, snapshot affected VMs, keep the compromised device powered but isolated.
- Report the incident to the Australian Signals Directorate via ReportCyber. For critical infrastructure entities covered by the SOCI Act, mandatory clocks are short: critical incidents within 12 hours, other significant incidents within 72 (confirm current rules against your obligations register).
- Reset credentials in the right order: attacker persistence first (rogue app registrations, inbox rules, MFA method changes, forwarding rules), then compromised accounts, then any account the compromised ones could administer.
Hour 24–48: the serious-harm assessment
Under the NDB scheme, an eligible data breach exists when personal information has been accessed or disclosed without authorisation (or lost where access is likely), and a reasonable person would conclude the access is likely to result in serious harm to any affected individual, and remedial action has not removed that likelihood. The assessment weighs the kind of information (identity documents, financial and health data rank highest), whether protections such as encryption held, who has the data, and what remediation has already achieved. The Privacy Act allows up to 30 days for this assessment where the breach is only suspected, but 30 days is a ceiling, not a target: an organisation that knows by hour 36 should act by hour 36. Document the assessment and its reasoning even if the conclusion is that notification is not required; the reasoning is what the OAIC will ask for.
Hour 48–72: notify outward and steady the ship
- If the breach is eligible, notify the OAIC via its online NDB form and notify affected individuals as soon as practicable. The statement must describe the breach, the information involved and the steps individuals should take.
- Write the individual notification for the reader, not the lawyer: what happened, what of theirs is affected, what the organisation has done, what they should do (credential resets, IDCARE's services, credit monitoring where identity documents are involved), and a real contact channel that will be staffed.
- Brief staff before the public knows, with a short holding line and a clear instruction on where to route enquiries. Frontline staff finding out from customers is an avoidable second incident.
- Board and executive briefing with the facts as known, the uncertainty as it stands, and the decision points ahead. Serious and repeated privacy failures now carry penalties for bodies corporate up to the greater of AU$50 million, three times any benefit obtained, or 30 per cent of adjusted turnover, which is generally sufficient to secure the board's attention.
After hour 72
Recovery, hardening and the post-incident review follow, and they go better when the first 72 hours were orderly. The uncomfortable finding in most Australian post-incident reviews is that the response went badly not because the plan was wrong but because there was no plan: nobody knew who declared an incident, where the insurer's number was, or that the 30-day assessment window existed. The fix costs an afternoon. Write the plan, put the phone numbers in it, and run one tabletop exercise a year. Frontrow's NDB readiness tool below scores an organisation against exactly these preparation gaps, and the Essential Eight assessment at frontrowtech.com.au/tools/essential-eight scores the controls that make the breach less likely in the first place.
Try it
Score your NDB readiness in five minutes
The Notifiable Data Breach readiness tool walks the preparation questions above (plan, roles, assessment process, notification machinery) and returns a graded gap list to take to the next executive meeting.
10 questions · 5 domains
Notifiable Data Breach Readiness Check
Under the NDB scheme you have 30 days from awareness to assess whether a breach is notifiable, and you must then notify OAIC and affected individuals as soon as practicable. Score whether your Microsoft 365 tenant can detect, scope, notify, remediate and improve fast enough to meet the clock. Pick the option closest to your tenant today.
Domain 1
Detect
Mean time to detect a personal information breach. Without detection, the 30-day clock never starts and the breach gets discovered when an affected individual raises it.
What's your estimated mean time to detect a personal-information breach in your M365 tenant?
Source: OAIC Notifiable Data Breaches Report (median discovery times); Microsoft Learn: Microsoft Defender XDR.
What's your Purview Audit log retention?
Source: Microsoft Learn: Microsoft Purview Audit (Premium); Audit log retention policies.
Domain 2
Scope
How quickly you can determine which individuals' personal information was accessed, exfiltrated or modified. The scoping work is what feeds the OAIC notification.
Can you reconstruct the scope of a data exposure (which files accessed, by whom, exfiltrated where) within 7 business days?
Source: Microsoft Learn: Microsoft Purview eDiscovery (Premium); Microsoft Defender for Cloud Apps file investigation.
Can you determine which categories of personal information were involved (health, financial, government identifier) without a manual file-by-file review?
Source: Microsoft Learn: Microsoft Purview sensitive information types; Trainable classifiers in Microsoft Purview.
Domain 3
Notify
Whether you have a documented notification flow, OAIC contact established, communications templates ready, and legal review pre-arranged.
Do you have a documented notifiable data breach response runbook covering OAIC notification, individual notification and stakeholder communications?
Source: OAIC Notifiable Data Breaches scheme — entity guidance; Privacy Act 1988 s 26WK (notification timing).
Are individual notification templates pre-drafted and legally reviewed?
Source: OAIC: Notifying individuals about an eligible data breach; Privacy Act 1988 s 26WL.
Domain 4
Remediate
Whether the organisation can contain the breach (rotate credentials, revoke tokens, disable accounts, isolate devices) within hours, and preserve evidence for forensic analysis.
Do you have containment runbooks for the common breach patterns (compromised user, compromised service principal, compromised endpoint)?
Source: Microsoft Learn: Investigate and respond to incidents in Microsoft Defender XDR; Microsoft Sentinel automation rules and playbooks.
How is evidence preserved during containment to support OAIC investigation and post-incident review?
Source: Microsoft Learn: Microsoft Purview Audit; Microsoft Defender for Endpoint live response; ISO 27037 digital evidence handling.
Domain 5
Continuous improvement
Whether tabletop exercises run, post-incident reviews update controls, and OAIC published trends inform internal control updates.
When did you last run a tabletop exercise for a notifiable data breach scenario?
Source: OAIC Notifiable Data Breaches Report (sectoral trends); ASD Cyber Incident Response Plan guidance.
After a real or simulated incident, how are control updates tracked through to closure?
Source: ASD Cyber Incident Response Plan guidance; ISO 27035 information security incident management.
This is an indicative self-assessment. It is not a substitute for an incident readiness exercise or legal advice. Frontrow Technology offers a Notifiable Data Breach readiness review with a tabletop exercise.