The Australian Small Business and Family Enterprise Ombudsman has urged all SMEs to urgently prepare for the impending mandatory data breach reporting rules, which take effect from 22 February 2018.
“If an unauthorised entity accesses anyone’s personal information from a business computer system, where it is likely to result in serious harm to that individual, that data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individual affected,” Ombudsman Kate Carnell said.
“An unauthorised entity could be an employee, an independent contractor or an external third party, such as a hacker (via cyber attack).
“Serious harm to an individual may include physical, psychological, emotional, financial or reputational harm.”
Ms Carnell said that with hefty penalties for non-compliance under the new rules, SMEs “can’t afford” to be unprepared. Yet a staggering number appears to be just that.
“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read … a new study reporting 44 per cent of Australian businesses are not fully prepared,” Ms Carnell said.
“Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches.
“With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”
While SMEs generally lack the resources to deal with issues such as cyber security, the risk of a serious breach on the viability of a business is enormous, even without considering the new compliance rules.
“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises,” she said.
More information on the mandatory data breach reporting rules, including how to report a breach, is available on the OAIC website.