Survey shows nearly 50% of ECEC providers aren’t aware of cyber reporting obligations
Under the Notifiable Data Breaches (NDB) scheme, any organisation or agency covered by the Privacy Act 1988 – including early childhood education and care (ECEC) services – must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
In an ECEC context, these breaches may occur when a device such as an ipad, which contains personal information (such as parent names and phone numbers) is lost or stolen; when personal information (such as a child’s developmental portfolio) is given to the wrong person; or, when personal information (such as a contact list with children’s names, dates of birth, allergies and parent phone numbers) is left behind while on an excursion.
In May 2019, amendments were made to the Privacy Act, which saw an increase in penalties for all entities covered by the Act from the previous maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information, or 10 per cent of an organisation’s annual domestic turnover – whichever is the greater.
The May changes also gave the OAIC new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.
Specific rules were also introduced in the May amendments to protect the personal information of children and other vulnerable groups, making awareness of obligations of particular importance for ECEC services.
Despite the amendments, and extensive information sharing about the importance of being aware of obligations under the NDB scheme, the second annual Chubb Australia SME Cyber Preparedness Report 2019 – “Ignorance is Risk” has revealed that nearly half of all Australian businesses in the small and medium enterprises (SME) class are not aware of their obligations.
“While larger companies seem to understand their obligations, SMEs are less clear,” Andrew Taylor, Cyber Underwriting Manager, Chubb Asia Pacific said. The report found that many SMEs do not understand precisely what type of data breaches require notification.
Speaking with Inside Small Business , Mr Taylor described the findings as a “huge concern”, saying a breach can be “catastrophic” for a smaller organisation, and that the lack of understanding around reporting obligations “raises the stakes further”.
The NDB scheme received 967 breach notifications between 1 July 2018 through to 30 June 2019. Previously, private education providers (the category in most alignment with ECEC) was found to be one of the top five offenders in the space.
One in two SMEs fell victim to a cyber incident in 2019, which is down from 64 per cent in 2018. Rather than being cause for celebration, however, the authors of the report noticed that SMEs have become “overly confident” in this space, with one in three (32 per cent) senior leaders assuming their businesses “will never experience a cyber incident”.
Other key findings from the report were that close to half of those surveyed (49 per cent) do not have a breach response plan, 79 per cent are confident that they can overcome a hacking attack within 24 hours, and alarmingly, only just over one quarter (27 per cent) of SMEs have risk insurance in relation to cyber risk.
In conversation with Inside Small Business, John DePeters, Chubb’s Cyber and Technology Industry Practice Manager, Australia and New Zealand, said it was imperative for Australian businesses to review their preparations closely, and ensure they are adequately equipped to manage cyber risk.
“We hope our research can raise awareness around cyber preparedness and emphasise to SMEs that, when it comes to cyber incidents, ignorance is risk not bliss.”