Padlock to represent computer security breach

A few months on: What has the Notifiable Data Breach Scheme taught us?

By now, Coleman Greig expects that many of our readers would have been made aware of the new Notifiable Data Breach Scheme, which came into effect in Australia from 22 February 2018 (in fact, we published an article on the incoming scheme back in 2017).

The Notifiable Data Breach Scheme can be found in Part IIIC of the Privacy Act 1988 (Cth), which sets out the exact definition of an ‘eligible data breach’, as well as the obligations and steps that organisations are required to follow in the event of an eligible data breach.  The Notifiable Data Breach Scheme applies to accountants, financial planners and all other businesses/entities with an annual turnover of $3 million or more.

With the Notifiable Data Breach Scheme having now been in operation for close to 9 months, Coleman Greig has decided to take a detailed look at what the current statistics are saying, as well as what organisations are able to glean from them in order to effectively protect both themselves and their clients from cyber-attacks.

What the statistics say

As part of their Notifiable Data Breaches Quarterly Statistics Report, the Office of the Australian Information Commissioner (OAIC) received notification of 245 data breaches between 1 July and 30 September 2018.  Of those reported data breaches, 85% involved the collection of personal information, such as home addresses, phone and email addresses, whilst 45% of all data breaches involved the collection of financial details.  Financial details include bank account details, credit card numbers and tax file numbers.

The data reveals that the finance sector is particularly susceptible to data breaches, with 14% of all breaches during the July to September quarter having been reported by accountants, financial planners, superannuation providers and other financial entities.  This reported percentage meant that the financial industry was one of the two industry sectors hit hardest by data breaches, with health service providers leading the charge.

Alarmingly, the statistics released by the OAIC reveal that 57% of all data breaches had occurred as a result of malicious criminal attacks which were intentionally planned and carried out.  These types of attacks can range from phishing emails designed to trick you into giving a hacker access to your information systems, all the way to sophisticated intrusions into your IT systems through the impersonation of employees.

The other large portion of data breaches (37%) occurred as a result of human error, such as unauthorised disclosure of client information by failing to redact sensitive information or simply emailing documents to the wrong recipient.

Within the finance sector, 48% of all data breaches occurred due to human error, whilst 45% occurred due to a malicious criminal attack.

What does this mean for accountants and financial providers?

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that protecting client information and ensuring that you have appropriate cyber security measures in place is absolutely crucial.  As an accountant and/or financial planner, it is highly likely that you both store and have access to large volumes of personal and financial information relating to your clients.

A data breach can have detrimental effects for both you and your client which can be costly, time consuming to rectify, and which may cause some serious damage to your firm’s professional reputation.  Additionally, failure to comply with the Notifiable Data Breach Scheme can result in fines of up to $1.8 million.

In order to prevent data breaches, or in the event of a breach, mitigate its effects, there a number of measures that organisations can take:

  1. Familiarise yourself with the Notifiable Data Breach Scheme, including what constitutes an ‘eligible data breach‘ and what your reporting obligations are should a breach occur;
  2. Provide your staff with cyber security training in order to assist them in identifying phishing emails and/or other cyber techniques designed to steal your information;
  3. Regularly change your passwords, ensuring that passwords are strong and secure;
  4. Ensure that only those staff members who require access to a client’s personal and financial information are given access;
  5. If you are using a cloud-computing software environment, ensure that your cloud provider is reputable, well-funded and has sufficient security measures;
  6. Prepare an internal response plan that enables you to identify data breaches, and report all eligible breaches to the OAIC as soon as they occur;
  7. Install security software and/or ensure that any software already in place is up to date and effective; and
  8. Check whether your professional indemnity insurance provides you with adequate protection in the event of a data breach.

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that accountants and financial planners alike are very real targets for cyber-attacks.  As such, Coleman Greig encourages you to be proactive in ensuring that you and your clients are protected by putting appropriate security measures in place.  

If you have a query relating to any of the information in this piece, or you would like to speak with a lawyer in Coleman Greig’s Privacy and Data Protection team in relation to your organisation’s data breach response plan, please don’t hesitate to get in touch:

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Employers should exercise caution when dismissing during probationary period

Can you dismiss an employee during the probationary period? Yes, but a recent case is a lesson in caution. The recent Federal Court decision of ‘Dabboussy v Australian Federation of Islamic Councils’ is a warning to employers to consider the importance of timing if dismissing an employee during probation.

The business impacts from the Government’s new cyber security laws

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230