Cybercrime has become a major problem in Australia, with over 114,000 reports of cybercrime registered with the Australian Cybercrime Online Reporting Network (ACORN) since 2014.
The handling of sensitive customer data in the digital world has become so important that the Federal Government has legislated mandatory data breach notifications, which started in February 2018.
This means that any not-for-profit SMB that has a turnover of $3 million annually, or any health organisation regardless of turnover, must report data breaches to both the government and customers impacted within a reasonable timeframe.
So what does this mean for SMB and what should you do if a data breach occurs?
How do I identify a data breach?
According to the Federal Government’s Office of the Australian Information Commissioner (OAIC), a notifiable breach “is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates”.
This can include when a customer’s personal information is lost or stolen, a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
A data breach doesn’t necessarily have to be a cyber attack either, as customer details can be mishandled through human error or poor company processes as well.
That is why it is important for SMBs to have a data breach response plan. The Federal Privacy Act states that “an entity must take reasonable steps to protect the personal information that it holds”.
By having a plan and acting swiftly in the advent of a breach, a business is able to mitigate the pain and suffering caused to the business and customer(s), prevent costly damages claims and build public trust by showing action has been taken to protect sensitive information.
If you do not have a plan and report the breach (as you are obligated to by law), then the damage can be high to your reputation and bottom line.
What are the steps to take if my SMB has been breached?
If you suspect a data breach, a statement must be issued to the Commissioner in a reasonable timeframe.
This statement should include your company’s identity and contact details, a description of the data breach, the kinds of information concerned and recommendations about the steps individuals should take in response to the data breach.
You are also required to send the contents of this statement to individuals that could be impacted by the breach.
What are the penalties if I don’t act?
The highest possible penalty under the Privacy Act is $1.7 million. But this figure could soar even higher if your customers have a case to claim for damages, not to mention the damage done to the reputation of your business.
How EMPR Solutions can assist
SMBs don’t want it to reach the point where data breaches occur and notification becomes necessary.
While a data breach response plan is effective in mitigating after the fact, prevention is always better than the cure.
Our team at EMPR Solutions can assist with the proper information, planning, and software to prevent data breaches from happening in the first instance.
Get a free assessment or learn how our inhouse experts can help optimise your workplace with custom tailored solutions on 1300 289 867. Alternatively, connect with us on firstname.lastname@example.org or visit our website.
– Josh Alston