Home topics news News Security Small Business News Small businesses face stiff penalties under new data breaches scheme, Ombudsman warns James Harkness January 31, 2018 With just over three weeks until mandatory data breach reporting laws come into effect, the Australian Small Business and Family Enterprise Ombudsman (ASBFEO), Kate Carnell, has urged small businesses to ensure they are prepared as a matter of urgency. From 22 February, organisations with personal information security obligations under the Privacy Act 1988 will be covered by the Notifiable Data Breaches (NDB) scheme, which is administered by the Office of the Australian Information Commissioner (OAIC). According to the Ombudsman, where an individual is likely to suffer ‘serious harm’ due to an ‘unauthorised entity’ accessing their personal information from an organisation’s computer system, that organisation must notify the OAIC as well as the individual of the data breach. She noted that an ‘unauthorised entity’ could refer to an employee, independent contractor or external third party (e.g. a hacker) and that ‘serious harm’ may include physical, psychological, emotional, financial or reputational harm.” The Ombudsman said the NDB scheme carries significant financial penalties – up to $360,000 for individuals and $1.8 million for organisations – meaning small businesses that collects personal information from their customers and staff “can’t afford not to understand what the new laws mean to them”. She continued, “Yet, I’ve read this morning a new study reporting 44 per cent of Australian businesses are not fully prepared. Another report by Telstra last year found 33