The Notifiable Data Breaches scheme will commence on 22 February 2018, requiring all businesses with an annual turnover of $3 million or higher to notify individuals and the Office of the Australian Information Commissioner (OAIC) when cyber security incidents compromise personal information.
According to the OAIC, “a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure”.
Earlier, Smithink director David Smith said accounting firms were a “very attractive target” for cyber criminals and warned that “time is not your friend” in preparing for the new laws.
Kamino Cyber Security and Midwinter managing director Julian Plummer further believes the majority of accountants have yet to spend enough time researching or preparing for the upcoming changes to the Australian Privacy Act.
“This means that if at any point, you experience a data breach – you will automatically be increasing the risk of loss of confidence in your business from a client’s point of view, as you are now obliged to tell them directly when and if a breach occurs,” said Mr Plummer.
“Data published by the Ponemon Institute has revealed that the average cost to an organisation for a data breach notification is $88,000, taking into account necessary actions such as creating a new client database, legal costs for the notification, related communication costs associated with notifying clients etc.
“The cost alone should be enough to convince you to take this seriously.”
Mr Plummer believes accountants should start by studying the new laws to ensure they have a comprehensive understanding of the scheme.
“Ensure you have an Incidence Response Plan in place to manage cyber security. Make sure your IT policies and procedures are up-to-date, that your staff are thoroughly versed in them and adhere to them. From then on, you can begin to plan and prepare your best line of defence,” added Mr Plummer.
“It also may be a good time to review your cyber insurance policies. Cyber insurance offsets many of the costs of potential IT breaches, however we recommend doing adequate due diligence as one size does not fit all.
“Securing your data, will secure your business.”