Mass hack exposes ‘gaping’ hole in small business privacy


The federal government is being urged to close a “gaping” hole in Australia’s antiquated privacy regime by removing the small business carve out, following the country’s largest data breach since 2018.

Simon Bush, the chief executive of the Australian Information Industry Association (AIIA), made the appeal on Friday, ahead of long-awaited amendments to the Privacy Act being introduced to Parliament next month.

The government last year agreed in principle to remove the small business exemption as part of its response to the Privacy Act Review, pending more consultation with the sector on the cost of compliance.

Most small businesses with an annual turnover of $3 million or less are currently exempt, despite accounting for 97 per cent businesses in Australia. A further two per cent are classified medium-sized (i.e those with less than 200 employees).

The carve out is also universal, meaning small businesses known to hold highly sensitive personal information like boutique professional services, health and accounting firms are not obliged to comply with the Privacy Act.

But the AIIA believes they should not be exempt “just because they have a smaller turnover” and is calling on the government to remove the carve out, instead of bowing to “noisy small business lobbyists”.

“The digital economy is [only] as strong as the weakest link and the small business exemption is that weakest link,” Mr Bush said, echoing comments in an AIIA submission last year.

“SMEs like General Practitioners and accountants can hold sensitive personal data… Exempting them is essentially leaving a gaping backdoor open and we are a global outlier in having such a privacy exemption.”

Mr Bush’s comments come a day after former electronic prescription provider MediSecure revealed at least 12.9 million Australians had been caught up in the ransomware attack, first discovered by the company in April.

Medicare card numbers and health identifiers, as well as names, addresses and phone numbers, provided over a 56-month period between March 2019 and November 2023 are among the sensitive personal information stolen.

According to the Office of the Australian Information Commissioner, it is the largest data breach under the Notifiable Data Breaches scheme. The Optus and Medibank data breaches in September and October 2022 impacted 9.8 million and 9.7 million people, respectively.

The AIIA has highlighted the breach as a reason for new safeguards, including a “clear distinction” between small businesses in the legislation, covering those that handle health, financial, and personally identifiable information.

“Coupled with the lack of distinction and liability assigned between data controllers and processors, Australian businesses are left confused on who is responsible for what and what remedial actions must be taken quickly,” Mr Bush said.

“The industry has waited for the Privacy Act review for five years to set clear expectations and support mechanism to help both large companies and SMEs to meet these expectations.”

The AIIA described the MediSecure data breach as “disconcerting” for the 12.9 million Australians who had their data stolen and said it “reinforces the need for a cyber secure economy”.

Australia’s Privacy Commissioner Carly Kind, who joined the OAIC in February, said the “size and scope” of the MediSecure data breach is another reminder of the need for organisations to protect personal information.

She added that “coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors” and reforms are “urgent to ensure all Australian organisations build the highest levels of security into their operations”.

The OAIC its continuing its inquiries into Medisecure and its administrators, Vaughan Strawbridge and Paul Harlond of FTI Consulting, to understand its compliance with the NDB scheme.

Under the NDB scheme, companies are subject to fines of $50 million, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger, for serious privacy breaches.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories