More than half of Australian small business owners are blissfully unaware that new laws around mandatory reporting of data breaches that come into play on Thursday could attract crippling fines, research shows.
The Notifiable Data Breaches (NDB) scheme of the Privacy Act establishes new reporting requirements that mandate that small business covered by the Australian Privacy Act 1988 must report eligible data breaches to authorities and also members of the public if it believes or is aware that data has been compromised.
While small businesses have been shielded from the impact of privacy laws, some of these new requirements will regulate even micro businesses in one way or another.
What is a data breach?
A data breach occurs when personal information held by a small business is lost or subject to unauthorised access or disclosure.
This could include if a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person. This could also include the accidental leaking of information such as customers’ credit card details, tax information or home address.
Small businesses unprepared
Small businesses were urged to put a spotlight on cyber security and to step up their capabilities throughout 2017, but it appears many have not.
Research published today reveals almost half of all Australian SMBs with an annual turnover of $3 million don’t consider themselves prepared for the mandatory data breach disclosure laws.
In fact, 57 per cent of SMBs have not undertaken any sort of IT security risk in the last 12 months, putting their devices, data and documents at risk, the research found.
While 18 per cent currently have a compliance policy in place and 33 per cent are currently developing a policy, it could be a case of too little too late for many small business owners. The HP Australia IT Security Study was conducted by ACA research.
One of the major stumbling blocks could be small businesses that allow employees to work remotely. Less than half, 44 per cent of respondents, have a security policy in place for employees that bring a personal device to work, and only 37 per cent restrict the data that can be accessed from the device.
The research set out to uncover Australian SMBs’ approach to IT security, including policies, procedures and risk management, as well as exploring their preparedness for the new data breach notification laws. It surveyed 528 Australian SMBs with between 10 and 99 employees across the services, production, retail and hospitality, health and education and distribution industries.
Severe consequences
Small businesses have been warned the consequences of a data breach can be severe; from financial to brand and reputational damage, Paul Gracey, director of printing systems for HP South Pacific says.
“Security threats are evolving every day. Due to reduced effectiveness of firewall protection, every device on an organisation’s network is at risk, and unfortunately printing and imaging devices are overlooked and left exposed.”
Security blind spots threaten to unhinge small business owners, such as visual hacking (where confidential data is read directly from a device’s screen without permission), he says.
Over half of the respondents flagged ‘‘employee carelessness’’ as a significant security threat to their business, with concerns not just over the behaviour of staff when outside the office, but external threats such as visual hacking, Gracey says.
“Think about the number of times you’ve opened your work laptop on the train or bus, only to catch someone looking over your shoulder.”
The not-so-humble printer is increasingly becoming the entry point of choice for hackers, and as SMBs remain focused on security software, hackers are looking to printers as the easy way into a business.
Gracey explains that smart printers can retain sensitive information and are often excluded from risk assessments. “Small businesses need to ask what data they have, where it’s kept and where it is being used,” he says.
Handling the new laws
Sydney’s Salinger Privacy consults and trains on all things privacy-related. Director Anna Johnston says handling the new laws isn’t as easy as just copying a privacy policy from another company’s website.
“Knowing how to manage the personal information you hold, to make sure you comply with privacy laws, can be difficult for even well-established businesses with in-house privacy or legal teams. But for start-ups and small businesses, it can seem an impossible task.”
The new legislation carries significant financial penalties, and will affect any small business that collects personal information from their customers, and staff, warns Australian Small Business and Family Enterprise Ombudsman Kate Carnell.
“Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises,” Carnell says.
“With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on small businesses can be devastating,” Carnell says.
To prepare for a data breach, small businesses are being urged to prepare a Data Breach Response Plan. This can be implemented in the first few hours and data after a data breach is discovered.
The NDB scheme begins on February 22, and only applies to eligible data breaches that occur on or after that date. Breaches can be reported here.