Small businesses face stiff penalties under new data breaches scheme, Ombudsman warns


With just over three weeks until mandatory data breach reporting laws come into effect, the Australian Small Business and Family Enterprise Ombudsman (ASBFEO), Kate Carnell, has urged small businesses to ensure they are prepared as a matter of urgency.  

From 22 February, organisations with personal information security obligations under the Privacy Act 1988 will be covered by the Notifiable Data Breaches (NDB) scheme, which is administered by the Office of the Australian Information Commissioner (OAIC).

According to the Ombudsman, where an individual is likely to suffer ‘serious harm’ due to an ‘unauthorised entity’ accessing their personal information from an organisation’s computer system, that organisation must notify the OAIC as well as the individual of the data breach.

She noted that an ‘unauthorised entity’ could refer to an employee, independent contractor or external third party (e.g. a hacker) and that ‘serious harm’ may include physical, psychological, emotional, financial or reputational harm.”

The Ombudsman said the NDB scheme carries significant financial penalties – up to $360,000 for individuals and $1.8 million for organisations – meaning small businesses that collects personal information from their customers and staff “can’t afford not to understand what the new laws mean to them”.

She continued, “Yet, I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared. Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches.”

Carnell said information on what a breach is, how to report a breach, or how to take steps to avoid notification in a timely manner can be accessed from the OAIC website.

“With the new laws commencing in around three weeks, I suggest small business operators also read our Cyber Security Best Practice Guide, which was released this earlier month,” she said.

“This free guide will help small businesses understand the risks and how to prevent cyber-attacks. It explains very simply what cyber security is, who to talk to and provides links to further information.

“Small businesses are particularly vulnerable to sophisticated cyber criminals as they often lack the time and resources to properly investigate and understand this very real threat.

“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises.”

See also: A last-minute guide to preparing your business for Australia’s new data breach regulations