Small businesses could be forced to protect customers' personal information, under government changes to Privacy Act

Australian Information and Privacy Commissioner Angelene Falk said the risk of small businesses falling victim to cybercrime was growing.

"While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so and therefore no recourse for individuals if their personal information is compromised," Ms Falk said.

"If they were to be brought into the act then they would need to tell their customers how they're handling personal information.

A majority of submitters to the review supported the reform, with business groups citing concerns the cost of compliance would severely damage the 2.5 million small businesses which had already suffered through the pandemic.

Change could be the end of some small businesses

Sydney travel agent Donna Meads-Barlow, who has 40 years of industry experience, said she might be forced to close her business if the exemption was removed.

"Pre-COVID, we were a very large business that was turning over in excess of $25 million," Ms Meads-Barlow said.

"Post-COVID, we are now a business that fits into that less than $3 million. We would be lucky if we have a gross revenue of $150,000.

"I understand cybersecurity and the Privacy Act, and I think it's very important, but for us to be able to report like big business does, that's a substantial cost that's required to a small business with very little income.

Deputy chair of the Council of Small Business Organisations Australia Elizabeth Skirving agreed the cost burden of removing the exemption was too high.

"We understand the concern people have with regard to privacy and data security, but we really believe there should be a scaled response as dealing with small businesses, they are resource and time poor," Ms Skirving said.

"Those businesses that are under $3 million that are currently exempt are made up of mum and dad families, are probably not the ones that are not going to be targeted for cyber acts, but also don't have the ability to buy really sophisticated software to cover off on that concern.

"The cost to business of putting that in place rather than having an impact from a cyber attack would certainly be best, but it's about a measured way of doing that so that it is a scaled response."

Small businesses no longer low risk

The Actuaries Institute has compiled evidence that hackers view smaller businesses as easier targets.

The Australian Cyber Security Centre last year found small businesses faced an average cost of $39,000 per cybercrime report.

RMIT cyber security expert Matt Warren said limited budgets left small businesses vulnerable.

"They don't necessarily have the expertise or the systems in place to protect the information they hold, but yet they can hold credit card details, passport details — anything a cyber attacker would be interested in.

"With the Privacy Act, data about Australian citizens has to reside within Australia but, because small businesses have been exempt, if they use a cloud service provider to store their data and they've picked the cheapest system, there was never a requirement for them to ask the question."

The federal government has not made a decision on the proposal. Consultation is closing at the end of the month.