Can you prevent a hack?

In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?

Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?

If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.

The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.

Lessons from RI Advice

Australian Competition and Consumer Commission v RI Advice Group Pty Ltd was a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC are willing to pursue not just companies that breach their duty of care but the directors and officers involved.

RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:

Computer systems which did not have up-to-date antivirus software installed and operating
No filtering or quarantining of emails
No backup systems or back-ups being performed; and
Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.

RI Advice took steps to manage their cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement.

RI Advice was ordered to pay $750,000 towards ASIC's costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Scams and how to avoid them

I got a text the other day “Hi Mum, I have broken my phone and I am using this number.” The “Hi Mum” scam has exploded with more than 1,150 Australians falling victim to the ploy in the first seven months of 2022, with total reported losses of $2.6 million. Once the scammer establishes contact, they start requesting money for an urgent bill or a replacement phone etc. For those with children or dependant family members, it is not that hard to believe. According to the Australian Consumer and Competition Commission (ACCC), two-thirds of family impersonation scams were reported by women over 55 years of age.

Another common scam is the lost or unable to deliver package texts and voicemail. With Christmas just around the corner, we can expect to see another escalation of this scam where tracking links purportedly from Australia Post, Toll, or Amazon etc., are used to instal malware. Once accessed, the malware will access your contacts and spread the malware and potentially access your personal information and bank details.

In July, the Australian Taxation Office (ATO) reported a new wave of ‘Tax refund SMSF scams’. The texts purported to be from the ATO stating that the individual had a tax refund and to click on the link and complete the form. Another scam purporting to be from the ATO advised that the recipient was suspected of being involved in cryptocurrency tax evasion and requested that they connect their wallet. At which point the wallet was accessed and any assets stolen.

The ACCC’s Targeting Scams report states that in 2021, nearly $1.8bn in losses were reported but the real figure is likely to be well over $2bn.

The largest combined losses in 2021 were:

$701 million lost to investment scams with 2021 figures significantly increased by cryptocurrency scams - more scammers are seeking payment with cryptocurrency and losses to this payment method increased 216% to $84 million.
$227 million lost to payment redirection scams.
$142 million lost to romance scams.

Protecting yourself from scams

Help educate older relatives. The over 55s are the most likely to fall victim to a scam.

Always use the primary website or app of your suppliers not a link from a text or email.
Don’t click on links from emails or text messages unless you are (absolutely) certain of the source. For email, if the sending email domain is not clear or hidden, hover over the name of the sending account to check if the email is from the company domain.
For Government services, use your MyGov account. Any messages to you from the ATO or other Government services need will be published to your MyGov account. Never click on links purporting to be from a bank, ATO or Government department.

Protecting your business from scams

Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million.

Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers

impersonate people using a registered email address that is very similar to one from a legitimate business.

Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure and it is too easy for staff to inadvertently send data to the wrong person.
No shared login details or passwords.
Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
Use multifactor authentication on your systems and third-party systems.
Update software and devices regularly for patches
Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled and your business has taken all reasonable steps to enforce the Australian Privacy Principles. Your business is responsible for how the overseas recipient utilises your customer’s data.
Only collect the customer data you need to provide the goods and services you offer.
Ensure protocols are in place for accounts payable.
Don’t forget the hardware – laptops, computers, phones.

< Older Post

Newer Post >

Cash is Making a Comeback – Is Your Business Ready to Take It?

By Clarke McEwan • December 3, 2025

The Government has released draft regulations that would require certain retailers to accept cash payments, ensuring Australians can still buy essential goods like groceries and fuel – even when technology fails. The change aims to stop people from being excluded when power, internet, or card systems go down, or when they simply prefer to pay in cash. Who Will Need to Accept Cash – and Who Won’t The new rules are targeted and, importantly, practical. They’ll apply to fuel stations and grocery retailers, including both major supermarket chains and independent operators, but only for in-person transactions under $500. That means you won’t have to accept someone paying for a $700 tyre replacement or bulk farm supplies in cash – it’s about the everyday essentials. If your business (or franchise group) has an annual turnover of less than $10 million, you’ll be exempt. That’s good news for most small businesses such as family-run grocers, local cafés, and corner stores already managing tight margins and staffing challenges. The regulations are expected to take effect from 1 January 2026, with a review after three years to see how the system is working in practice. Why It’s Happening The move comes as part of a broader push to maintain access and fairness in Australia’s payment system. The Government and industry groups have recognised that while most Australians are happy to tap their card or phone, around 10–15% still prefer to use cash – particularly older Australians and those in regional or remote areas. There’s also a resilience angle: during bushfires, floods, or power outages, card networks can go offline. In those moments, cash becomes essential. What This Means for Your Business For larger retailers, this change will mean dusting off cash-handling policies and reintroducing processes that many have phased out. That may include: Re-establishing cash floats and tills Staff training to handle and verify cash More frequent bank deposits and reconciliation procedures For small businesses that fall under the $10 million exemption, the key step will be to document your turnover clearly so you can demonstrate that the exemption applies. We can help ensure your records and structures support that. There may also be commercial upside. Accepting cash could attract a segment of customers who’ve drifted away as stores went digital – especially in regional areas where cash use remains strong. A small business that promotes “cash welcome” could even gain new loyal customers who value convenience and personal service. Preparing for the Change With final regulations expected soon, it’s worth starting to plan now. Review your payment policies, assess whether you’re likely to be caught by the new rules, and budget for any setup or compliance costs. If you’re exempt, ensure your records are watertight. If not, look for ways to streamline cash handling – for example, by using digital cash counters or smart safes to reduce errors and time spent on reconciliations. Looking Ahead Cash isn’t going away just yet. This reform is about maintaining choice, resilience, and fairness in how Australians pay – and ensuring businesses are ready when customers want to use it. If you’d like help assessing how these rules could affect your operations or what the exemption means for your business, get in touch with our team.

Know the Rules Before You Break Them: Why SMSF Education Matters More Than Ever

By Clarke McEwan • December 3, 2025

Why understanding SISA matters You can’t comply with what you don’t know: Many common breaches arise from misunderstanding basic SISA duties (for example, sole purpose, arm’s length dealings, or in-house asset limits). Awareness of the rules is the first step to spotting a problem early. Early identification reduces harm: Knowing what to look for, incorrect benefit payments, related party transactions that aren’t on commercial terms, or records that are incomplete, lets you seek advice before small errors become reportable contraventions. Education protects members: The consequences of a breach can include loss of tax concessions, penalties and remediation costs that reduce retirement savings for members. The ATO’s Focus on Education — What Trustees Need to Know The ATO has recently published a draft Practice Statement (PS LA 2025/D2) explaining when it might issue an education direction under section 160 of SISA. These directions give the ATO power to require trustees (or directors of corporate trustees) to complete specified education, where trustees’ knowledge or behaviour poses a risk to compliance. The draft statement sets out the ATO’s approach and the kinds of circumstances that may lead to an education direction. However, trustees should not wait for an ATO directive before getting educated – such a directive means the trustees have already breached the rules. The draft Practice Statement is intended to support compliance and public confidence, but it is not a substitute for proactive trustee learning. Acting early and voluntarily is both safer for trustees and viewed more favourably by regulators. Practical Steps Trustees Can Consider Use ATO’s official SMSF guidance Start with the ATO’s SMSF courses on the lifecycle of an SMSF, setting up, running and winding up. These courses are written for trustees and prospective trustees: Setting up an SMSF: https://smallbusiness.taxsuperandyou.gov.au/setting-up-a-self-managed-super-fund-smsf Running an SMSF: https://smallbusiness.taxsuperandyou.gov.au/running-a-self-managed-super-fund-smsf Winding up an SMSF: https://smallbusiness.taxsuperandyou.gov.au/winding-self-managed-super-fund-smsf Complete the ATO’s ‘knowledge check’ The ATO provides an online “knowledge check” for each course designed to test trustee understanding. It’s a useful starting point, but note a pass mark of 50% should not be taken as a guarantee of safety. Trustees should consider whether aiming for a much higher standard, even 100% comprehension of core duties, is a more appropriate target to reduce risk. Seek timely professional advice If a knowledge check or your reading flags uncertainty, contact us early to discuss your concerns. Timely, qualified advice often transforms a potential contravention into a routine fix and may mitigate potential penalties or ATO enforcement action. Document your learning and decisions Keep records of training completed, who provided advice, and why investment or payment decisions were made. Good records are persuasive evidence of a trustee’s intent to comply. Final Word SMSF trustees hold both opportunity and responsibility. Learning the SISA rules and the ATO’s expectations is the most practical way to prevent costly mistakes. The ATO’s draft Practice Statement shows the regulator is prepared to use education directions where trustees’ knowledge gaps pose risks, but you shouldn’t wait to be told. Build your knowledge, use the ATO’s resources, complete the knowledge check, document what you learn, and seek professional help confidently and early. That approach better protects your fund and retirement outcomes.

Unlocking Tax Savings: Can Your MBA (or Other Studies) Pay Off at Tax Time?

By Clarke McEwan • December 3, 2025

The ATO’s rules on self-education expenses are strict, and the line between “deductible” and “non-deductible” can be thin. Getting it right could mean thousands back in your pocket; getting it wrong could mean an ATO adjustment, plus interest and penalties. Let’s unpack how it works with a real-world example and some practical takeaways. The Scenario: Sarah’s MBA Sarah works in the Department of Defence and recently completed an MBA through a private provider. Her employer supported her studies with a $40,000 study allowance, and the course fees totalled $18,000. She deferred payment using the FEE-HELP loan system and declared the allowance as taxable income in her return. Now she’s asking: Can I claim a deduction for my MBA fees? Does it matter that I used FEE-HELP? Does the employer allowance change things? The Type of Loan Matters First, not all funding for education courses is treated equally. HECS-HELP - no deduction: If your course is a Commonwealth supported place (most undergraduate and some postgraduate university programs), you can’t claim a deduction. There is specific legislation in the tax system which denies deductions for fees covered by HECS-HELP — even if you pay them upfront and even if the course is closely related to your work. FEE-HELP - potential deduction: If you’re in a full-fee course, your tuition fees might be deductible if the study directly relates to your current employment or business activities. The ATO doesn’t allow a deduction for loan repayments later on — just the course fees themselves. Practical tip: Check your course statement or loan confirmation to see if you’re under HECS-HELP or FEE-HELP. Only FEE-HELP (or private payment) gives you potential deductibility. The “Nexus” Test — Linking Study to Your Current Work Even if the funding passes the first test, the purpose of the study is key. The ATO will only allow deductions if the course maintains or improves the skills you already use in your job, or is likely to increase your income in that same role. It won’t apply if you’re studying to move into a new field or start a different career. The ATO issued a detailed ruling on this topic in 2024 which provides some clear examples: Allowed: A store manager doing an MBA to strengthen leadership and business operations skills. Denied: A sales rep doing an MBA to change careers into consulting — the link to the current role was too weak. For Sarah, the deduction depends on whether her MBA subjects (like strategy, policy or management) build directly on her current Defence role. The fact that her employer funded the course helps demonstrate relevance, but it’s not proof on its own. In some cases you might find that specific subjects or modules are sufficiently linked with current income earning activities, while other subjects are too general in nature for the fees to be deductible. Employer Allowances and HELP Repayments The $40,000 allowance Sarah received is assessable income — it’s taxed just like salary. But that doesn’t stop her from claiming eligible self-education deductions for the course fees. HELP loan repayments later on are not deductible — they’re simply a repayment of debt. The timing of the deduction is based on when the course expense was incurred (not when the loan is repaid). Making It Practical If you’re planning further study or reviewing a recent course, here’s how to make sure you get it right: Check your loan type – FEE-HELP or private fees can be deductible; HECS-HELP cannot. Gather evidence – Keep course outlines, job descriptions, and any correspondence showing the study supports your current work. Claim what’s relevant – You can only claim expenses directly connected to your current job (fees, books, and possibly travel). Be ready for review – Large claims often attract ATO attention. A private ruling can provide peace of mind if the amount is significant. Key Takeaways For many professionals, postgraduate studies like an MBA can deliver both career and tax benefits — but only if they relate directly to your current role. Handled correctly, self-education deductions can return thousands in tax savings. For Sarah, that could mean a refund of over $5,000 on an $18,000 course. If you’re considering further study, talk to us before you enrol or claim. A quick chat could ensure your next qualification delivers the best return — professionally and financially.

Super on Payday: Fundamental Changes for Employers

By Clarke McEwan • December 3, 2025

It’s called Payday Super, and it became law on 4 November 2025. The new rules are designed to close Australia’s $6.25 billion unpaid super gap and make sure employees — especially casual and part-time workers — get their retirement savings when they get paid. What’s Changing? From 1 July 2026, you’ll need to pay superannuation guarantee (SG) contributions at the same time as wages, rather than weeks or months later. Employers will have seven business days from payday to ensure contributions hit employees’ super funds. If payments are late, the Superannuation Guarantee Charge (SGC) will apply — that means paying the missed super plus an interest and administration penalty. Once SGC has been assessed, additional interest and penalties may apply if the SGC liability isn’t paid in full. Unlike the existing system, SGC amounts will normally be deductible to employers, although penalties for late payment of SGC won’t be deductible. On top of this, the ATO will retire the Small Business Superannuation Clearing House (SBSCH) platform from 1 July 2026 for all users and alternative options should be sought. The change isn’t just about compliance — it’s about impact. The Government estimates the earlier payments could boost an average worker’s retirement balance by around $7,700. Why It’s Good for Business This reform might sound like extra admin, and it might take a bit of getting used to, but it can actually simplify your payroll process and strengthen your reputation as an employer. Less admin – Paying super when you run payroll means no more quarterly payment crunches. Fewer compliance risks – ATO data-matching will pick up issues faster, helping you avoid penalties before they snowball. Stronger employee trust – Staff can see their super growing in real time, which might help with engagement and retention. Smoother cash flow management – Paying smaller, regular amounts of super is often easier to manage than large quarterly sums. The ATO will take a “risk-based” approach for the first year, focusing on education and helping businesses transition smoothly. If you pay on time, you’ll likely be flagged as low risk, meaning fewer compliance checks. How to Get Ready — Practical Steps to Take Now You’ve got time before the rules kick in, but the smart move is to prepare early. Here’s how: Check your payroll software. Most modern systems (like Xero, MYOB, or QuickBooks) already support payday-aligned super. Confirm your setup and check if any updates or integrations are needed. Map your pay cycles. Note how often you pay staff (weekly, fortnightly, monthly) and calculate the seven-day payment window for each. Brief your team. Make sure whoever manages payroll understands the changes. The ATO has free online resources and webinars to help. Plan your cash flow. Consider shifting from quarterly to more regular payments now to get used to the timing. Smaller, frequent super payments can reduce cash flow shocks. Monitor and review. Set up a monthly check to ensure super contributions have cleared correctly. Keep an eye on ATO updates as final guidance is released. If you outsource payroll, contact your provider soon — many are already updating systems for Payday Super and can help you make a seamless switch. The Bottom Line Payday Super isn’t just a compliance change — it’s an opportunity to make your payroll more efficient, your staff happier, and your business more compliant with less effort. With the laws now passed and just over 6 months to prepare, it’s time to get ahead of the curve. If you’d like help reviewing your payroll setup or planning the transition, get in touch with our team — we can help you make sure your business is ready to go when Payday Super commences.