“Ransomware”, “Hacking”, “Cybercrime” are commonly used terms in today’s on-line world. If you store information electronically the information is at risk of being accessed, stolen, destroyed or even held to ransom. Yes, this is true. Small businesses are being targeted by scammers who hack into computers and lock access and only granting the access when the business owner pays a ransom.
Personal information such as names address and bank details are valuable and can be sold for a high price. Just look what happened to Target in the US or dating website Ashley Madison.
Small businesses cannot necessarily afford the security or information technology support that large corporations have, which equally means the business can be easier to disrupt and is more vulnerable to attacks.
So what are your obligations to protect your customer’s privacy?
Businesses that have an annual turnover of less than $3 million dollars are exempt from complying with the Privacy Act unless they are a health or fitness industry in which case the Act applies. This is because in addition to personal information, health and fitness providers also obtain medical and health information which is considered sensitive and deserving of greater protection.
If your business is exempt, you can still opt in and choose to comply with the obligations. One of those obligations relates to keeping personal information secure by taking reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.
The reasonableness of the steps that a business needs to take to protect information will vary depending upon the size of the business, the nature of the business and the resources available. The steps that are most appropriate for a business will also depend upon how sensitive the information is that is being held. For example, bank account details will warrant greater security than an email address.
The requirement involves implementing active measures, just having a privacy statement or policy is not enough. You should consider the particular risks that you are exposed to, and identify measures that can reduce those risks. For example, through the use of passwords, changing passwords regularly, reduced access to certain functionalities and the adequacy of your back up procedures, hard ware and software.
Whether you are required by law to protect personal information or not, in a society heavily reliant upon technology, it is recommended as a sensible practice.