Tourism businesses are not immune: Data Management and Cyber Security 

By Paul Gordon, Partner, IP & Technology, Wallmans Lawyers 

For many businesses, it can be a dangerous world online. Every week the news features the next company to suffer a data breach or system hack.

Phishing scams, ransomware, malicious software and denial of service attacks, once terminology reserved for tech gurus are now fundamental concepts that businesses of every size needs to understand in order to protect themselves from third party attacks.

And whilst big business will often grab the headlines, small and medium sized businesses are not immune.

If you are a victim of a cyber attack, it is often easy to focus on the tangible impact to your business, be it the loss of data, business interruption or damage to reputation, however if you fail to consider the legal consequences of a cyber attack, you could face risks even greater than the cyber attack itself.

If your business is caught by the Privacy Act 1989 (Cth) (e.g. you have a turnover of $3M/year or more, if you provide health or fitness services, or deal in data), or if you are subject to the GDPR (because you market services to people in the EU), you may have legal obligations to maintain adequate security for personal information that your organisation holds.

How much security you need will depend on the sensitivity of your data. Customers’ preferences for ice cream flavours require less security than their health information (such as allergies) or religion (if noted on your files).

If something happens and you either lose that data, or a third party gets access to it, and if it is possible that serious harm may occur because of that breach, you may be required to report it to the Australian Information Commissioner.

This involves explaining what happened, how it happened, and what you have done to limit the harm. In most cases you will also have to notify every individual whose information was compromised.

A failure to provide reasonable levels of security, and a failure to make a report, can lead to serious financial penalties for businesses.

It is also important for businesses to have clear privacy policies, data breach response plans and adequately trained staff to make sure you are able to comply with your legal obligations.

Preventative measures now, both from a cyber security perspective, but also a legal perspective, can pay long term dividends if you are ever caught in a hacker’s sights.

Wallmans undertakes cyber security policy and process audits which highlight areas of compliance and where gaps may leave your business at risk. Additionally, they advise on general protections, privacy, GDPR and assisting your business through a breach. 

As a valued supporter of TiCSA, all members have access to an initial 15-minute free call to discuss any legal (or potential) legal issues. Please call 8235 3052.