The Privacy Amendment (Notifiable Data Breaches) Bill passed last year and will commence on 22 February this year. It will require agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
According to the OAIC, “a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure”.
Individuals and corporations that fail to comply with the notifications rules risk being fined up to $340,000 and $1.7 million respectively.
Change Accountants & Advisors chief executive Timothy Munro believes accountants have to get up-to-date with the scheme and start training and informing staff members on the potential ramifications.
“The biggest game changer for 2018 will easily be the new notifiable data breach laws,” said Mr Munro.
“Accounting businesses that haven’t planned for this and updated their security protocols will be absolutely smashed with fines and potentially lose their tax agent licence after February 2018 when these new laws come into effect.
“One sloppy team member who clicks on a link in an email could bring down an entire accounting business – it’s that serious,” he added.
“My urgent message to all accounting firm owners: Take this seriously, research it to understand the new laws, and get started now with new team policies and team training to ensure you are not at risk.”
Earlier, Smithink director David Smith said accounting firms were a “very attractive target” for cyber criminals and warned that “time is not your friend” in preparing for the new laws.
Kamino Cyber Security and Midwinter managing director Julian Plummer further believes the majority of accountants have yet to spend enough time researching or preparing for the upcoming changes to the Australian Privacy Act.
“This means that if at any point, you experience a data breach – you will automatically be increasing the risk of loss of confidence in your business from a client’s point of view, as you are now obliged to tell them directly when and if a breach occurs,” said Mr Plummer.
“Data published by the Ponemon Institute has revealed that the average cost to an organisation for a data breach notification is $88,000, taking into account necessary actions such as creating a new client database, legal costs for the notification, related communication costs associated with notifying clients etc.
“The cost alone should be enough to convince you to take this seriously.”