Small businesses face $2m fines for cyber security breaches

The Australian, February 22, 2018

Thousands of business owners are unprepared for a tough new cyber security regime that could see them slapped with fines in excess of $2 million if they fail to report data breaches, a new study warns.

As of today, businesses with an annual turnover of more than $3m that trade in personal information must notify individuals ­affected by data breaches likely to result in “serious harm” and inform the Australian Information Commissioner. Failure to comply will incur penalties of up to $420,000 for individuals and $2.1m for companies, triggering warnings the new rules could send some businesses bankrupt.

A study from data security consultancy Xpotentia warns that up to 124,000 businesses over the $3m turnover threshold are not ready for the rules, and many lack security systems to beat hackers.

Xpotentia managing director and University of NSW’s principal adviser on cyber security Sorin Toma says small businesses just over the $3m threshold are most at risk. “They might actually have their entire customer data base on a simple PC,” he told The Australian. “You are talking about ­businesses that employ 10 to 12 people and they have a few computers and they are totally exposed.”

The scheme applies to businesses that keep “personal information data” for customers — including their address, contact and payment details.

Mr Toma urged business owners captured by the scheme to “sec­ure their data with additional software” and “put in a firewall to protect the networks”. He suggested businesses invest in a chief information security officer to identify threats and vulnerabilities.

“A lot of the time, a small business might not know a breach has happened,” Mr Toma said. “It could send you bankrupt … if you report it and you report it inaccurately, then you’re also in trouble.

“Our research has found that businesses are not prepared for the new regulations or, indeed, the new wave of highly skilled cyber criminals penetrating the Australian market.”

The Xpotentia study noted the high instances of data breaches, citing a 2017 Telstra survey showing 59 per cent of Australian companies had detected data sec­urity breaches on a monthly basis. It also warned that as many as one in four Australians was targeted by hackers last year. The study noted that almost 50,000 Australians and 5000 public servants from the Department of Finance, the Australian Electoral Commission and the National Disability Insurance Scheme had data exposed as a result of a massive leak by a private contractor.

Cyber Security Minister Angus Taylor yesterday said “not knowing how to protect client or customer data is becoming a poor excuse. There is a lot of information now available on cyber sec­urity. The onus is with business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches.”

A spokeswoman for Mr Taylor acknowledged it would “take some time for businesses and organisations to become familiar with requirements” and said the Office of the Australian Information Commissioner would work with them to ensure they understood their obligations.

The Australian Industry Group alerted its members yesterday to the new regime, but said most small businesses with annual turnover under $3m would not have to comply.