In the six months to December 2023, Australians were the victims of 463 notifiable data breaches, with malicious or criminal attacks behind two-thirds of them.

Currently, only entities covered by the Privacy Act – businesses with a turnover of more than $3 million, government agencies and some small businesses such as health providers – have obligations regarding data handling and reporting of any breaches.

This equates to fewer than one in every ten businesses in Australia and an elevated risk for consumers.

A key recommendation of the Privacy Act Review Report released by the Attorney-General’s Department in February last year was that the current small business exemption be removed after consultation as to the best way to do it.

The federal government has agreed in principle, but has not yet started consulting on it.

Piper Alderman partner Joshua Annese warned that small businesses should “get on the front foot now”.

“There are very strong reasons why small businesses should take an interest in managing their cybersecurity risks appropriately,” Annese said.

“There can be serious consequences from not managing your information and data security properly… with ransomware attacks, people get their systems locked down, are unable to access their data or manage their business, and sometimes they lose that data forever.

“There’s also reputational damage that comes from having a data breach and having your customers’ personal details exposed.”

Annese said that, as with larger companies, small businesses could see serious repercussions.

The Optus, Medibank and Latitude cyberattacks, which all involved ransom demands, exposed the data of millions of customers.

Optus is now facing one class action, Medibank is facing three – including one by shareholders, and lawyers are investigating the possibility of filing one against Latitude.

“Businesses caught up in data breaches [have been] criticised for retaining data that they really no longer needed, even if they were not considered to be at fault for the breach,” Annese said.

“As a result of the Optus breach, people have been asking whether it is really necessary for a telco to collect and hold sensitive identification information like passport and driver’s licence numbers that may be used to facilitate fraud.”

Annese advises banking and financial institutions on regulatory compliance and IT matters. He said now, even outside of this sector, businesses are more actively managing data and formalising data governance arrangements.

“It’s much more common for cyber security due diligence assessments to be required before entering into service contracts or engaging a service provider with annual ongoing due diligence refreshers,” he said.

“In some regulated settings this is mandated by requirements imposed by regulators, but it’s also just part of overall good governance.”

The current small business exemption from the Privacy Act means a large part of the economy is not covered by the privacy laws.

“That’s part of the reason why Australia’s privacy regime isn’t recognised internationally as being equivalent to some of the larger regimes like the GDPR in Europe and the UK, where there’s much more onerous obligations,” he said.

“The question is, to what extent do they need to comply? And will there be concessions granted by the government to make it easier for smaller businesses to comply?”

From the consumer’s perspective, Annese thinks the risks of having one’s data seriously compromised through financial institutions is much lower now.

“The regulators are taking an increasingly sophisticated approach to the requirements they’re imposing … particularly with authorised deposit-taking institutions,” he said.

“New requirements were imposed by APRA several years ago on data security [and] there’s a new risk management Prudential Standard that starts next year, CPS 230 Operational Risk Management, which is wider than just information and cyber security.”

The federal government’s Digital ID Act has just passed  Parliament and from 1 December 2024 will facilitate new ways for people to legally identify themselves with a business or government entity without needing to hand over sensitive identification information, like passport or driver’s licence numbers, or date of birth.

This will allow the expansion of the MyGovID system and the introduction of new digital ID services in the private sector.

Annese believes the changes imposed on financial institutions are keeping pace with the digital transformation of business, but “the public is reliant on the regulators monitoring” businesses’ changing risks.

“If we’re talking about managing their overall cyber risk, for example, the risk that they could get hacked and the information could get accessed, APRA has a role in that, in ensuring that the business continues, and it’s safe and sound,” he said.

“The Prudential Standards are not detailed in the sense of the technology that it relates to, or the controls that are required to be imposed.

“As their technology [and] the way they do business changes, they’re obliged to continually update their risk assessments, and ensure that the controls they’ve got in place remain appropriate.

“But also, OAIC [the Office of the Australian Information Commissioner] as the privacy regulator has a role to play in ensuring that the privacy laws are being adequately enacted and complied with.”

OAIC’s remit may soon include businesses with a turnover of less than $3 million, once the consultation is concluded, meaning they too will have to adhere to the Australian Privacy Principles.

“Cyber security and privacy are now much more front of mind,” Annese said.

“Businesses need to manage the risks and think carefully about what personal information they are collecting, why they are collecting it and how they will protect it.”

Joshua Annese is a judge for InDaily and CityMag’s 40 Under 40 awards, with Piper Alderman the sponsor of the Emerging Industries Award. This year’s winners will be announced at a gala event at Adelaide Oval on 27 June. Purchase tickets here.

Follow @Piper Alderman on LinkedIn for upcoming webinars on data security and financial services