It's the final countdown, with the new notifiable data breaches (NDB) scheme coming into effect this Thursday 22 February 2018 under the Privacy Act 1988 (Cth).

MinterEllison's just released Perspectives on Cyber Risk 2018 research report shows that only 40% of Australian organisations are prepared for the new NDB scheme. Similar results were cited in a recent study by cyber security provider CyberArk with small businesses found to be the least prepared.

How are SMEs affected?

As a small to medium business owner, you may not be subject to the Privacy Act 1998 (Cth) including the NDB scheme (specifically, small businesses that have under $3 million in annual turnover).

However, it’s critical that you are aware that the small business exemption will not apply if your business is an entity that:

• provides any health services;
• is related to an 'APP entity' (e.g. as a subsidiary to an 'APP entity') broadly being an entity which is caught by the Privacy Act 1988 (Cth);
• trades in personal information;
• is a credit reporting body; or
• holds tax file number information.

Regardless, your business may be contractually obliged to comply with the obligations of the NDB scheme, so it is essential that you are adequately prepared. For more detail regarding the scheme, you can consult our previous updates here and here, as well as our Perspectives report.

The cost, both financial and reputational, of a data breach can be much more devastating to a small business, so being prepared to act quickly to mitigate, contain and respond to a data breach is a crucial risk management strategy.

How to be prepared?

Navigating the minefield that is the new NDB scheme and its obligations may seem daunting. Some simple tips to help you be prepared include:

• allocate responsibility within your business for data security and cyber resilience;
• ensure you have a plan of attack and are aware of the critical steps you would need to take in the event of a data breach; and
• where possible, identify service providers that handle or hold personal information on behalf of your business and ensure appropriate contractual obligations have been imposed in relation to privacy and data breach response.

We will work with you to provide an affordable data breach response plan for your small to medium-sized business that can be tailored to your needs. With NDB compliance in hand, you can focus on maximising your business' potential.