Customers, clients and staff members’ privacy could be breached or hacked because many local small businesses are not properly prepared.
That is the warning from Uptake Digital’s Brenton Johnson, who says more businesses need to act now as the government clamps down on those risking tax file numbers, dates of birth and a raft of other personal data.
Australian Small Business and Family Enterprise Ombudsman Kate Carnell said many small businesses were not properly securing private information ahead of the introduction of reforms to the way data breaches were monitored.
“I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared,” she said.
“Another report by Telstra last year found 33 per cent of small businesses don’t take proactive measures to protect against cyber breaches.”
Companies would need to get ready, Ms Carnell said. From February 22 the law would change and businesses would need to report “unathorised entities” accessing information to the Office of the Australian Information Commissioner.
They would also need to report breaches to the individual affected.
Editorial: Hack attacks confirm experts’ worst fears
Mr Johnson said currently many businesses had no way of telling if and when their data had been breached.
“If it is breached they don’t know how to respond because this is very new to people,” he said.
In the past businesses had a choice about if they “did the right thing” and reported breaches or hacks to affected individuals or whether they kept it quiet, Mr Johnson said.
Ms Carnell said reports would soon need to be made if the information was likely to result in serious harm to an individual.
“An unauthorised entity could be an employee, an independent contractor or an external third party, such as a hacker via a cyber attack,” she said.
“Serious harm to an individual may include physical, psychological, emotional, financial or reputational harm.”
There would also be steep financial penalties for those failing to comply.
Mrs Carnell said information on breaches and what to report could be accessed from the OAIC website.
“With the new laws commencing in around three weeks, I suggest small business operators also read our Cyber Security Best Practice Guide, which was released this earlier month,” she said.
Mr Johnson said his company was among those offering data responsibility packages to businesses in preparation for the reforms.