Businesses underprepared for mandatory data breach reporting laws
Small businesses have been urged to prepare for the introduction of mandatory data breach reporting laws, which will take effect from 22 February.
Under the new laws, if an unauthorised entity accesses somebody’s personal information from a business computer system, where it is likely to result in serious harm to that individual, that data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individual affected.
“An unauthorised entity could be an employee, an independent contractor or an external third party, such as a hacker (via cyber attack),” said Kate Carnell from the OAIC.
“Serious harm to an individual may include physical, psychological, emotional, financial or reputational harm.”
Carnell warned this legislation carried significant financial penalties, and would affect any small business that collects personal information from their customers, and staff.
“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read this morning a new study reporting 44% of Australian businesses are not fully prepared,” she said.
“Another report by Telstra last year found 33% of small businesses don’t take proactive measures to protect against cyber breaches.
“With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”
Information on what a breach is, how to report a breach or how to take steps to avoid notification in a timely manner can be accessed from the OAIC website.
“With the new laws commencing in around three weeks, I suggest small business operators also read our Cyber Security Best Practice Guide, which was released this earlier month,” said Carnell.
“This free guide will help small businesses understand the risks and how to prevent cyber attacks. It explains very simply what cybersecurity is, who to talk to and provides links to further information.
“Small businesses are particularly vulnerable to sophisticated cybercriminals as they often lack the time and resources to properly investigate and understand this very real threat.
“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust and report any suspicious activity that takes place on your premises.”
Small businesses will only be required to comply with the Notifiable Data Breaches scheme if they fall into certain categories.
Why the information lifecycle will be vital to data privacy in 2025
Data accessibility, accountability, confidentiality and integrity are becoming increasingly...
You can't win the AI game without a playmaker captain
Kubernetes and containers promise to bring cohesion to the otherwise complex world of modern apps.
Fixing the cybersecurity skills gap in Australia
Industry needs to mend the broken pathway from cybersecurity education to employment.