The ballooning fallout of the Latitude Financial hack provides the federal government with the perfect backdrop to take long-awaited action on cyber security that will have far-reaching implications for small businesses.
Europe, the UK, and the United States have laid out a series of potential roadmaps for Australia to take. While the exact path isn’t determined, small businesses can safely take proactive steps to prepare for whatever is to come, including mapping datasets, reviewing privacy policies and rewriting contracts.
Latitude Financial sets the stage
Fourteen million records have been stolen from Latitude Financial, making it one of the worst breaches in Australian corporate history.
In the last three weeks, Minister for Home Affairs Clare O’Neil has been on the hustings spruiking the federal government’s National Cyber Security Strategy along with its goal for Australia to become the most cyber-secure country by 2030.
On March 28, O’Neil told the Tech Policy Futures event at Parliament House about the central role regulation reform will play in upcoming strategy.
The Minister followed this up last week with an address to the Sydney Dialogue where she referenced Optus, Medibank and Latitude, adding that “if every business is a target, every Australian is at risk”. Most businesses are not Optus, Medibank and Latitude. Ninety-three percent of Australian businesses have a turnover of less than $2 million, according to the ABS.
Submissions to the government’s discussion paper are due by the end of this week and small businesses need to make their voices heard. The government wants to know what assistance small businesses need to “manage their cyber security risks to keep their data and their customers’ data safe”.
Where small business sits
In order to achieve the government’s cyber secure goal, small businesses — which for the most part falls outside of the current SOCI Laws (Security of Critical Infrastructure Act) addressing critical infrastructure — will need to play their part. The Australian Cyber Security Centre provides guidance to mitigate against cyber risk, and its Essential Eight recommendations distinguish between maturity levels of the business in terms of cyber vulnerability.
Small businesses should assign responsibility for privacy and cyber compliance to skilled personnel. In too many instances, this will mean outsourcing and right now the cost of external consultants is too high. The government will have to bring that cost down for small business either by significantly increasing the supply of cyber professionals, which will take time, or by subsidising cyber services for companies with a turnover below a certain level. Indeed the subsidy could make a useful bridging policy to encourage action now.
Small businesses should have a defined strategy for compliance with these laws and safeguards against network hacks, and data loss, including training staff, asset identification, data supply chain review, audit and reporting. Reducing risk now could protect if a vulnerability arises tomorrow.
Although cyber and privacy overlap, the Privacy Act is likely to see significant reform if the recommendations from the Attorney General’s review are adopted. This seems likely as the review was started by the previous government and endorsed by the Office of the Australian Information Commissioner (OIAC).
As reported by SmartCompany, the Attorney General has said small businesses should no longer be excluded from complying with the Privacy Act. The reforms are also likely to implement some key GDPR positions from the European Union, such as a shorter time window for reporting breaches, and the relationships between Data Controller and Data Processor.
Meanwhile, private tech industry polling indicates 85% of Australians want firm action on cyber security. It’s hard to imagine an issue on which Australians agree more strongly.
International momentum
The domestic momentum towards greater cyber security regulation post the Latitude data breach is matched by similar experiences internationally.
In the US, the Biden administration has released the Executive Order on the issue. The US is looking to hold US SaaS companies responsible if they fail to take adequate steps to safeguard their solutions against cyber attacks.
As cyber security best practice requires a combination of strategy, education, technology, and review, it may be challenging for the government to implement a one size fits all standard for compliance, rather it may recommend a framework.
There may be safe harbour protections for those companies who can show they adopted the framework, combined with expanding reporting from the current SOCI laws more generally.
Given the speed at which the Privacy Act (which increased the scope of the law, powers of the OIAC and penalties for breaches) passed at the end of 2022, there is support within the Parliament for changes to be enacted quickly.
Map, review and rewrite
There are steps that small businesses can take now to ensure they’re not left flat-footed when the government’s strategy emerges. These steps can be built upon irrespective of exactly what O’Neil and the Labor government have in store.
Businesses should conduct regular mapping of datasets, including data transfers with third-party data suppliers and cloud service providers, to ensure that only required data is being shared through the supply chain. This can help the business understand the potential vulnerabilities in their data management practices and take appropriate measures to protect it.
Businesses should also be reviewing cyber vulnerabilities, and ensuring best practices for cyber security, such as two-factor and regularly changed strong passwords, data duplication and backup, as well as automated tools to discover vulnerabilities. This can help the business implement appropriate policies and procedures to protect their networks and the personal information and other sensitive data which may be processed through them.
Consider privacy policies too, and re-negotiate writing contracts that don’t include standards for cyber best practices, cyber insurance obligations, cyber audits, and adequate liability provisions for data. Third-party relationships can create potential risks and liabilities if the supplier experiences a cyber attack or breach that affects the small business’s data. By including cyber insurance and other cybersecurity protections in contracts with suppliers, small businesses can help mitigate these risks and protect themselves from potential financial losses.
The definition of ‘business as usual’ for cyber is about to change. Small businesses need to understand the required response will be achievable, but also non-negotiable.
Andrew Truswell is a director at tech-focussed law firm Biztech Lawyers.
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.