Big penalties for small business with new data reporting laws

THE Australian Small Business and Family Enterprise Ombudsman (ASBFEO) has urged small businesses to prepare themselves to manage mandatory data breach reporting laws, effective February 22.

“If an unauthorised entity accesses anyone’s personal information from a business computer system, where it is likely to result in serious harm to that individual, that data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individual affected,” Ombudsman Kate Carnell said. 

“An unauthorised entity could be an employee, an independent contractor or an external third party, such as a hacker (via cyber attack). Serious harm to an individual may include physical, psychological, emotional, financial or reputational harm.”

Ms Carnell warned this legislation carried significant financial penalties, and would affect any small business that collected personal information from their customers, and staff.

“Small businesses can’t afford not to understand what the new laws mean to them, and yet I’ve read a new study reporting 44 percent of Australian businesses are not fully prepared,” she said.

“Another report by Telstra last year found 33 percent of small businesses don’t take proactive measures to protect against cyber breaches.

“With penalties of up to $360,000 for individuals and $1.8 million for organisations, the impact of a breach on a small business is devastating.”

Mrs Carnell said information on what a breach is, how to report a breach, or how to take steps to avoid notification in a timely manner can be accessed from the OAIC website.

“With the new laws commencing in around three weeks, I suggest small business operators also read our Cyber Security Best Practice Guide,” Ms Carnell said.

Small businesses in categories that must comply with the Notifiable Data Breaches scheme can be determined through the Office of the Australian Information Commissioner.


Contact Us


PO Box 2144