Australian Businesses Not Prepared for New Data Breach Laws


Sorin Toma
University of NSW, Principal Adviser – Cyber Security
Managing Director – Xpotentia

New research has found that thousands of small to medium Australian businesses are not prepared for the Federal Government’s new ‘Data Breach Reporting Guidelines’ that come into effect from 22nd of February 2018.

A report produced by Xpotentia Managing Director and University of NSW’s principal adviser on cyber security, Sorin Toma, claims that many businesses that are increasingly conducting trade online are unaware or unprepared for the new guidelines on data breach reporting.  The new regulations include steep penalties for failing to properly report a data breach.

“Many businesses that conduct trade over the internet through sites like Amazon, handle reams of personal information like bank, credit card and even Paypal details.  According to a Telstra survey last year, 59 percent of Australian companies had detected a data security breach on a monthly basis,” Mr Toma said today.

“Our research has found that businesses are not prepared for the new regulations or indeed, the new wave of highly skilled cyber criminals operating within the Australian market,” Mr Toma said.

According to the Office of the Australian Information Commissioner, from today retail businesses with an annual turnover of $3 million or more, or that trade in personal information will be required to comply with the Notifiable Data Breaches (NDB) scheme.

Under the scheme, businesses that meet the criteria must notify individuals affected by a data breach which is likely to result in ‘serious harm’ as well as inform the Australian Information Commissioner.

Failure to adequately report a data breach to the Federal Government and affected consumers will result in penalties under the Privacy Act which can include fines of up to $340,000 for individuals and up to $1.7 million for companies.

The Xpotentia report states that many businesses are risking falling foul of the new regulations because they haven’t developed an effective cyber security team starting with the recruitment of a quality Chief Information Security Officer (CISO).

“This is where businesses need to start in building their defences against cyber criminals and ensure they comply with the Government’s new regulations.  A quality CISO can help identify potential threats and areas of vulnerability, as well as ensure regulatory compliance,” Mr Toma said.

“A good CISO should have around 20 years’ experience in technology leadership roles.  They should have the ability to develop an integrated security team around them, including specific technology managers, strategists, analysists and security engineers.  They should be able to think strategically about how to stay ahead of potential perpetrators and adapt to the rapidly changing cyber technology arena,” Mr Toma said.

The full report can be viewed at