3 in 5 unaware of legislation.
The Privacy Amendment (Notifiable Date Breaches NDB) Act 2017 that came into effect on February 22, 2018 means that most Australian business must comply with the new law. However, the inaugural Canon Australia Business Readiness Index on Security found that many Australian businesses were not sufficiently up to speed on the new data breach notification laws.
The NDB scheme applies to Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more. It requires them to take steps to secure certain categories of personal information that are likely to result in serious harm to any individual affected.
The index found that three in five businesses that will be affected by the new legislation are unaware of it and what it means for them. Small business seemed to be the least concerned about data security with only one in five prepared for the new regulations. This is concerning given failure to comply puts private organisations with a turnover of more than $3 million at risk of fines up to $2.1 million for non-compliance.
The study, conducted by GfK Australia in January 2018, found other worrying trends. “Businesses are not prepared enough, particularly small businesses. Only 40% have six or more of the Australian Signals Directorate Essential 8 (ASD8) strategies in place and decreases to 27% for small businesses with 12% having no ASD8 strategies in place at all.
However, the report revealed that the retail trade sector have more security measures in place than any other industries, with 20% ‘not at all’ or ‘slightly’ concerned about the new laws, compared to an industry average of 31%, potentially indicating that measures are already in place. Also, that 94% of retailers either have been or plan to be assessed for IT security, the highest rate in the industry.
“52% of Australian businesses indicate that protecting company data is one of their highest concerns, while 51% point to protecting customer data as well. These numbers jump to 64% and 58% respectively for the retail sector, the highest of all sectors,” the report said. “Data security spending is also on the rise with one in two businesses saying it will increase with the new legislation in effect.”
The five most common security incidences that occurred in Australia in the last 12 months were viruses, spam, malware/spyware, phishing and ransomware.
“The prognosis is clear; Australian businesses need to improve their data protection measures. Failure to do so could risk compromising confidential data, expose them to hefty fines and lead to significant reputational damage,” the report summarised.