New legislation for the introduction of mandatory data breach reporting laws will come into effect from 22 February this year and the Australian Small Business and Family Enterprise Ombudsman has urged small businesses to urgently prepare for this legislation that carries significant financial penalties, and that would affect any small business that collects personal information from their customers, and staff.

Any unauthorised access to anyone’s personal information from a business computer system, where it is likely to result in serious harm to that individual, that data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individual affected.  This breach could come from any unauthorised entity and could be an employee, an independent contractor or an external third party, such as a hacker (via cyber attack) that may cause serious harm to an individual, whether to their reputation, or physical, psychological, emotional, or financial harm.

On the 31st January 2018, the Small Business Ombudsman Kate Carnell warned that “Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared,” Ms Carnell said. “Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches. With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”

For information on what a breach is, how to report a breach, or how to take steps to avoid notification in a timely manner can be accessed from the OAIC website.

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency headed by the Australian Information Commissioner and within the Attorney General’s portfolio. The agency has three primary functions, including privacy functions, conferred by the Privacy Act 1988 (Privacy Act) and other laws, freedom of information functions, in particular, oversight of the operation of the Freedom of Information Act 1982 (FOI Act) and review of decisions made by agencies and ministers under that Act and government information policy functions, conferred on the Australian Information Commissioner under the Australian Information Commissioner Act 2010 (AIC Act).

The OAIC’s responsibilities include:

  • conducting investigations
  • reviewing decisions made under the FOI Act
  • handling complaints
  • monitoring agency administration
  • providing advice to the public, government agencies and businesses.

Earlier this month, a free guide Cyber Security Best Practice Guide, was released that explains very simply what cyber security is, who to talk to and provides links to further information. Small businesses are particularly vulnerable to sophisticated cyber criminals, so it is good practice to protect your business’s data like you would your office: lock up at night, backup your data on an external hard drive or some other means and don’t give the keys to anyone you don’t trust.  Always be aware and report any suspicious activity that takes place on your premises.

Marilyn Rulyancich, Business Development Advisor, Business South West