Businesses unprepared for new data breach notification laws

In the AFR today. One would reasonably suspect that such regulations both in Australia and offshore that come into affect early this year will be a positive for CVT by way of inbound inquiry leading to an increase into the qualified pipeline of opportunities that will then translate into further contract wins for the group.

Businesses unprepared for new data breach notification laws

Thousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or technology problems, according to local industry experts and recently conducted research.
Mandatory data breach reporting laws come into effect in Australia in February, years after they were introduced in other countries, such as the US, but a new study by cyber security provider CyberArk has found 44 per cent of Australian businesses are not fully prepared.
While it is predictable enough for a security vendor to warn that businesses need to worry more about security, independent Australian cyber security expert James Turner, of IBRS and CISO Lens, said small businesses were "absolutely not" prepared for the new laws.
"I recently did two events with FireEye and [law firm] Baker McKenzie. The majority of attendees were not from IT and security, they were from legal, compliance and risk ... Yet despite these people being from organisations that had sufficient maturity to put people in these roles, they still did not feel adequately informed," he said.
"This means that the vast majority of small businesses that don't have security, privacy, risk, legal and compliance people probably have no idea at all, and that really concerns me."
Under the proposed laws, which come into effect on February 22, if an organisation subject to the Privacy Act incurs an "eligible data breach", it will have to alert the Australian Information Commissioner and the people whose data has been compromised.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in "serious harm to any of the individuals to whom the information relates".
Businesses that fail to report will face penalties of up to $360,000 for individuals and $1.8 million for organisations.
Lack of awareness

RSA chief cyber security adviser for the Asia-Pacific region, Len Kleinman, said many small businesses with under $3 million in annual turnover might not realise they were also subject to the legislation.
"Small businesses are still required to comply if they handle personal information. Some examples are health service providers – such as weight loss agencies, gyms and alternative medicine practices – credit reporting bodies, and childcare centres," he said.
"In certain ways, preparation for small business is more critical, as the cost of a breach – both dollar and reputation-wise – can have a significantly more profound impact on the financial livelihood of a small business."
The study by CyberArk also found that energy, oil and gas and utilities companies reported being the least prepared for the new laws, with 27 per cent saying they would not be prepared if the rules were introduced today and a further 40 per cent saying they were only partially prepared.
About 80 per cent of media, leisure and entertainment companies also reported being unprepared or only partially prepared.
Spotting breaches

Mr Turner said research had consistently shown that organisations were often only alerted to a data breach by a third party after it had occurred, and that larger businesses would also be caught unprepared.
"A really bad outcome would be for an organisation to be completely blind-sided by a data breach and then have its executives scrambling around trying to understand what happened and why the Privacy Commissioner, the media and the public are so mad about it," he said.
Late last year online taxi company Uber became the latest tech giant to be hit with a wide-scale data breach. affecting about 57 million of its users, following on from the Yahoo and Equifax breaches.
Mr Turner said the Uber case demonstrated that companies already on shaky ground with their public image could not afford to be the victim of a cyber attack.
"The lesson is that if an organisation is already struggling on the PR front, a data breach can make things worse," he said.
"It is important to remember that any organisation that gets breached is the victim of a crime and it's not their fault. But it's equally important for executives to keep in mind that cyber incidents are entirely foreseeable, and not preparing for them is imprudent."
Cyber security consultant Rachael Falk said small businesses could get caught up in focusing on immediate threats such as ransomware and phishing, but they also needed to prepare for the new laws by assessing their security controls, putting a plan in place for how to manage a breach, and identifying an expert they could turn to.
"There are cyber distractions everywhere. That's why it's important to focus on the valuable data, where it is, who has access to it and how well it's protected."