Thursday 22nd February is the date that all businesses in Australia should be aware of. What is happening on this date has the potential to hugely impact on businesses and indeed businesses bottom lines however many business owners whom we speak to still have absolutely no idea as to what is happening on this date.
So what is happening? 22nd February 2018 is the day which the Australia’s notifiable data breach (NDB) scheme comes into force. The scheme requires notification of unauthorised access to, disclosure of, or loss of information likely to result in serious harm i.e. personal information, such as the following 2017-2018 examples:
X-Box 360 – 1.2m X-Box consumers had their email addresses, names and passwords stolen https://www.identityforce.com/blog/2017-data-breaches
Dun & Bradstreet – had their 33 million record marketing corporate database shared on the internet https://www.identityforce.com/blog/2017-data-breaches
Uber – became aware of a data breach which could potentially expose their 57 million drivers and users personal information https://www.identityforce.com/blog/2017-data-breaches
Go Get - https://www.itnews.com.au/news/goget-reveals-data-breach-as-police-arrest-alleged-hacker-482180
Aadhaar – 1 billion record public database hacked in India; with names, email addresses and phone numbers released
These breaches need to reported to the Office of the Australian Information Commissioner and tellingly (and expensively) the people involved. Why is telling the people involved so expensive, well the average cost to a business per record to notify an individual is $139, multiple this across a breach across your client base and the cost can run into the tens and sometimes hundreds of thousands (https://www.cloudrecover.com.au/cost-data-breach-australia/ ).
It is folly to think that as you are a small business you will not be targeted by hackers (internal or external to the company). After all think logically, would a hack rather go after a ASX listed company whom have a team of cyber security personnel or an SME who is likely to have little or no security in place? Secondly just because your information is on the cloud, does this protect you? No, not really, how secure is the cloud, do you have back up’s of the data etc…
So how you do you know whether you have to comply with the scheme? The following link includes within it a checklist which you can work through to determine whether the scheme applies to you. If it does then you should already be having the discussion with your broker as to a Cyber Liability policy https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10
Make no bones about it, in our opinion this is the biggest current exposure faced by businesses, many of whom have zero idea about the risk out there.