Mandatory data breach reporting laws come into effect from 22 February this year. This means where there’s unauthorised access to a client’s information that may cause harm, the breach must be reported to the Office of the Australian Information Commissioner (OAIC) and the individual affected.
You can learn more about the implications for accounting firms here.
The Australian Small Business and Family Enterprise Ombudsman, Kate Carnell, is concerned businesses aren’t aware of the substantial penalties which can be imposed for non-compliance with the new laws, which is up to $360,000 for individuals and $1.8 million for organisations.
“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared,” said Ms Carnell.
“Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches,” she said.
The scope for reportable breaches is wider than most realise. Unauthorised access which requires reporting is not necessarily in the realm of a devastating cyber attack — it could be an employee, an independent contractor, or an external third party.
Ms Carnell encouraged firms to think about data in the same way they think about office space — there’s typically a hesitancy to allow unsupervised access to an office space without total trust.
“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises,” Ms Carnell said.
There are government resources and guides available to small business, which you can access here.