Small businesses shouldn't be excused on data breach reporting, experts say

Small businesses shouldn't be excused on data breach reporting, experts say

New laws proposed by the Turnbull government would force some companies to notify Australians if their personal data is breached as the result of a hack or cyber attack, but some experts say the rules don't go far enough.

The exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, introduced at the end of last year, requires any company or government agency subject to the Privacy Act 1998 to make the notifications within 30 days, however this means any non-profit or company with less than a $3 million per year turnover is exempt.

Even small companies now collect masses of personal information.

Even small companies now collect masses of personal information.

Photo: Fairfax Media

Ty Miller, of computer security firm Threat Intelligence, says the $3 million provision is a "historical value", sorely in need of updating in an age where even the smallest start-ups are collecting reams of personal data.

"In the last three to five years there's been a shift towards big data collection [among start-ups and small businesses]", Mr Miller said, adding that he's witnessed breaches at Australian companies turning over much less than $3 million, but which had housed some serious data.

"I did a digital forensic investigation for a smaller accounting firm that got breached, and we could see based on the info they had that there had been data stolen," Mr Miller said.


"Being an accounting firm they of course had extremely sensitive information, including financial data of other businesses. They never had to disclose that breach."

Breach notifications are important because they give individuals a chance to change their passwords, cancel their credit cards or take other preventative action before the attackers can use any stolen data against them. For a company however, acknowledging the breach can mean substantial damage to reputation and business.

Dealing with data breaches can be a challenge for smaller companies. Many are ill-equipped even to detect a breach, often not finding out until months later. Even then, while the company may know an intruder has accessed its systems, it might not be able to determine what – if anything – was stolen. The need to make a potentially damaging declaration in the result of a breach would act as an incentive to make sure security systems are as tight as possible.

Mr Miller argues that having the breach notification laws apply to companies on the basis of the kind of information they're storing, rather than the amount of money they make, would be a better way to balance the concerns of business and individuals.

Chief executive officer of the Consumer Action Law Centre, Gerard Brody, said last year that individuals should have a fundamental right to be informed of "any data breach involving personal information about them".

"This is not just because of potential adverse consequences caused by the release of personal information, but also a fundamental human right to autonomy," Mr Brody said.

Submissions from the public concerning the draft bill are due by March 4.

Tim Biggs

Tim is the editor of Fairfax's technology sections.

Most Viewed in Technology


Morning & Afternoon Newsletter

Delivered Mon–Fri.

By signing up you accept our privacy policy and conditions of use