Privacy law changes are here – is your SME ready?


New Australian privacy laws came into force on February 22. Experts warn you may be left scrambling if your SME hasn’t locked down personal information and developed a response plan to deal with privacy breaches. Changes to the Privacy Act mean Australian businesses with annual turnover in excess of $3 million will be required to notify their customers and the Office of the Australian Information Commissioner within 30 days should they suspect or experience a serious data breach.

But what does a serious breach entail – and where should you start, if you think you’ve had one?

Essentially, it’s any situation where personal information – think customer names, email addresses, phone numbers or more sensitive information such as health details – is compromised, Macpherson Kelley Lawyers IT principal Malcolm McBratney explains. It doesn’t take much to fall within that definition, McBratney points out.

“Your system is attacked and you suffer a phishing attack, or someone loses their mobile phone and it’s not password protected, or someone’s provided information about an individual to the wrong person…it’s not a very high bar,” he says.

Apart from unauthorised access to or disclosure of personal information, serious harm has to be likely to one or more individuals (after any remedial action).  

Be prepared

If a breach does occur, you’ll need to react appropriately and quickly, or risk being fined yourself by the Office of the Australian Information Commissioner; a statutory body which has the ability to impose stiff financial penalties – up to $1.8 million for serious or serial offenders.

Even if your SME is too small to be impacted by the new privacy rules, this is still a worthwhile exercise. A serious data breach can impact your customers and dent your business reputation; mitigating the damage is easier if you are prepared and can respond quickly.

McBratney recommends reviewing your current privacy policy and, if necessary, developing a data breach response plan to accompany it.

 “There’s no need to make it War and Peace,” McBratney says.

“What’s needed is a simple document outlining how you’ll determine whether a breach has taken place, who’ll be responsible for doing so, the steps you’ll take to remedy the breach, based on the nature of the incident, and how you’ll go about issuing a statement to customers and the Commissioner.”

It’s a good time to review your contracts with suppliers, if you outsource any computing or communications functions.

“Contracts should state that if the supplier experiences a data breach, they’ll inform you immediately and take steps to fix it in a timely manner,” McBratney says.

The case for staying safe

Prevention is always better than cure, so now is the time to put some practical strategies in place. Regular training can remind staff of cyber-security basics – changing passwords frequently, securing laptops and smartphones and not clicking on unsought email attachments.

There’s a strong economic case for vigilance, according to Troy Filipcevic, managing director of underwriting agency Emergence Insurance, who’s helped a string of businesses pick up the pieces financially, after they’ve fallen victim to phishing and hacking attacks.

Ransomware attacks can put companies out of action for anywhere between a day and several weeks, Filipcevic says.

In the event of a serious data breach, cyber liability insurance may provide financial protection for your business. Policies can cover losses arising from hacking, data theft or accidental loss of client information, including the costs associated with cyber response and business interruption. For more information about cover, contact us today.