Cyber Security: Small Businesses Now Subject to Mandatory Reporting of Data Breaches

Cyber Security: Small Businesses Now Subject to Mandatory Reporting of Data Breaches

Image: Small businesses that don’t report cyber security attacks will face a maximum fine of $1.8 million under new laws. Image from Max Pixel, under a CCO Public Domain License.

New laws introduced this month will require all small businesses to report data breaches to the Office of the Australian Commissioner (OAIC), along with the person affected.

The Notifiable Data Breaches Scheme (NDB) came into effect on 22 February and requires businesses and organisations to report unauthorised access of anyone’s personal information to the Australian Information Commissioner (OAIC), as well as any individual affected.

The Australian Small Business and Family Enterprise Ombudsman warns that a data breach (unauthorised access of someone’s personal information) via a business computer system could be carried out by another employee, an independent contractor or an external third party or hacker.

Businesses faced with a data breach incident will now have to report the incident or face a penalty of $360,000 for individuals and $1.8 million for organisations.

For small business owners, including farmers, the new laws serve as a timely reminder about the benefits of good record keeping and office security.

‘If someone steals info or gains info from your systems that could cause serious damage to an individual, like physical damage, psychological damage, financial damage or reputational damage, you have to report it,’ said Australian Small Business and Family Enterprise Ombudsman Kate Carnell.

‘Protect your business’s data like you would your office: lock up at night, don’t give the keys to anyone you don’t trust, and report any suspicious activity that takes place on your premises,’ she said.

Small businesses can implement basic changes to avoid the risk of being compromised, including:

  • Prevention
    • Back up IT systems regularly
    • Install security updates
    • Use complex passwords and two-step authentication systems
    • Limit access to administrator accounts and sensitive information
  • Sound Practices
    • Make cyber security an ongoing conversation within your business
    • Browse safe sites
    • Only install apps you trust on your devices
  • Respond
    • If you think you’ve experienced a data breach, report it to the authorities and your staff
    • Restore backups from before the incident
    • Consider cyber insurance


Need to know more?
Breach definitions and information about how to report a breach are available on the OAIC website and the Cyber Security Best Practise Guide is also a useful point of reference.

Sources: Australian Small Business and Family Enterprise Ombudsman

No Comments

Sorry, the comment form is closed at this time.