From 22 February, there’ll be stiff new penalties for not actively reporting data security breaches – and many businesses are unprepared for the new regime.
Businesses with turnover of more than $3 million will now be required to report to both the government and their customers if:
- Their systems are accessed by an “unauthorised entity” and
- The breach is likely to result in “serious harm” to customers
Those businesses will need to report any breach to both the customers affected (potentially all of them if the system breached contained customer details) and the Office of the Australian Information Commissioner.
Generally speaking, businesses with less than $3 million in turnover will be exempted from the new reporting guidelines, but there are a few exceptions such as:
- A business that provides health services
- Entities related to larger companies which are covered by the new reporting standards
- Credit-reporting businesses or
- Entities that trade in personal information – that is, organisations that disclose personal information about individuals to anyone else for a benefit, service or advantage; or organisations that provide a benefit, service or advantage to collect personal information about another individual from anyone else
Read more about who’s eligible here.
Here’s more on what the government considers a breach, and what the government considers “serious harm” in relation to a data breach.
Penalties for non-compliance
There are some steep penalties for non-compliance involved, too.
With penalties of up to $420,000 for individuals and $2.1 million for businesses *, the government is taking this new reporting guideline very seriously.
Alarmingly, many businesses appear unaware of what’s coming on 22 February.
“[B]usinesses can’t afford to not understand what the new laws mean to them, and yet I’ve read this morning a new study reporting 44 percent of Australian businesses are not fully prepared,” said Small Business Ombudsman Kate Carnell in a statement.
“The impact of a breach on a small business is devastating.”
Despite the steep penalties, there’s no need for undue alarm.
But the best way to make sure you don’t end up in hot water is to avoid a data breach in the first place.
Security tips for businesses
One of the most effective and robust methods you can use to keep your business’ financial and invoicing data (which contain customer details) from prying eyes is to use 2-factor authentication.
You’ve more than likely run into 2-Factor Authentication already.
You enter your username and password as usual, but then you’re prompted to enter a code.
This code is available via an app on your phone when you enter your username and password on your MYOB software.
Once you have this code, you simply put that in and hey presto, you’re in.
The advantage here is that if somebody somehow gets access to your username and password and tries to log in using another machine, then they’ll need the code generated in the app as well.
So instead of it being doom and gloom once somebody swiped your login details, there’s now another line of defence preventing somebody from logging in without your authority.
Want more info about beefing up security in your business?
READ: What is ransomware?
* An earlier version of this article stated penalties were $320,000 for individuals and $1.8 million for organisations, citing figures from the Small Business Ombudsman — however this does not reflect an increase in penalty units made last year.