3 in 5 businesses not aware of new data breach laws in effect from today
A study has revealed small businesses in particular are the least concerned about data security.
New mandatory data breach laws come into effect today, but a study from Canon Australia has found that the majority of businesses are unaware of them. The Notifiable Data Breaches amendment to the Privacy Act mandates that all businesses covered by the act must report eligible data breaches to authorities and the public.
Canon Australia's inaugural Business Readiness Index found that 3 in 5 businesses (59%) are unaware of the legislation and what it means for them. Only 1 in 5 (19%) small businesses were aware and prepared for the new regulations.
Small business and security
The findings, which were based on insights from over 400 key business decision makers, also revealed a continuing trend of a lack of concern from small businesses around security breaches. While 38% of Australian businesses are "extremely" or "very concerned" they could suffer from a security breach in the next 12 months, only 21% of small businesses (less than 20 employees) were extremely/very concerned. A further 15% of small businesses were not concerned at all.
Director of Canon Business Services Gavin Gomes said the lack of awareness and concern shown by businesses can have long and short term effects.
"The fact that 1 in 2 are only "slightly" or "not at all" concerned about potential upcoming breaches is in itself a red flag. In the short run, this makes them the ideal back door entry for cybercriminals angling for prized data and revenue from larger enterprises. Longer term, the implications can include missed opportunities worth millions – be it lost contracts or irreversible reputational damage,” he said.
Australian Small Business and Family Enterprise Ombudsman Kate Carnell echoed his concerns.
“Small businesses are particularly vulnerable to sophisticated cybercriminals as they often lack the time and resources to properly investigate and understand this very real threat," she said.
“With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”
Preparing for the new laws
The new data breach laws come into effect from today and apply to all Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more. It also applies to credit reporting bodies, health service providers and TFN recipients.
A data breach is where unauthorised access to, unauthorised disclosure of or a loss of personal information occurs. An eligible data breach is one that satisfies all of these three criteria:
- There is unauthorised access to or unauthorised disclosure of personal information or a loss of personal information that an entity holds.
- This is likely to result in serious harm to one or more individuals.
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
If an eligible data breach has occurred, you need to notify individuals that are likely at risk of serious harm. The Commissioner also needs to be notified as soon as possible by providing a statement.
The Office of the Australian Information Commissioner (OAIC) recommends developing a data breach response plan. You can see how to do this on the OAIC website.