Padlock to represent computer security breach

A few months on: What has the Notifiable Data Breach Scheme taught us?

By now, Coleman Greig expects that many of our readers would have been made aware of the new Notifiable Data Breach Scheme, which came into effect in Australia from 22 February 2018 (in fact, we published an article on the incoming scheme back in 2017).

The Notifiable Data Breach Scheme can be found in Part IIIC of the Privacy Act 1988 (Cth), which sets out the exact definition of an ‘eligible data breach’, as well as the obligations and steps that organisations are required to follow in the event of an eligible data breach.  The Notifiable Data Breach Scheme applies to accountants, financial planners and all other businesses/entities with an annual turnover of $3 million or more.

With the Notifiable Data Breach Scheme having now been in operation for close to 9 months, Coleman Greig has decided to take a detailed look at what the current statistics are saying, as well as what organisations are able to glean from them in order to effectively protect both themselves and their clients from cyber-attacks.

What the statistics say

As part of their Notifiable Data Breaches Quarterly Statistics Report, the Office of the Australian Information Commissioner (OAIC) received notification of 245 data breaches between 1 July and 30 September 2018.  Of those reported data breaches, 85% involved the collection of personal information, such as home addresses, phone and email addresses, whilst 45% of all data breaches involved the collection of financial details.  Financial details include bank account details, credit card numbers and tax file numbers.

The data reveals that the finance sector is particularly susceptible to data breaches, with 14% of all breaches during the July to September quarter having been reported by accountants, financial planners, superannuation providers and other financial entities.  This reported percentage meant that the financial industry was one of the two industry sectors hit hardest by data breaches, with health service providers leading the charge.

Alarmingly, the statistics released by the OAIC reveal that 57% of all data breaches had occurred as a result of malicious criminal attacks which were intentionally planned and carried out.  These types of attacks can range from phishing emails designed to trick you into giving a hacker access to your information systems, all the way to sophisticated intrusions into your IT systems through the impersonation of employees.

The other large portion of data breaches (37%) occurred as a result of human error, such as unauthorised disclosure of client information by failing to redact sensitive information or simply emailing documents to the wrong recipient.

Within the finance sector, 48% of all data breaches occurred due to human error, whilst 45% occurred due to a malicious criminal attack.

What does this mean for accountants and financial providers?

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that protecting client information and ensuring that you have appropriate cyber security measures in place is absolutely crucial.  As an accountant and/or financial planner, it is highly likely that you both store and have access to large volumes of personal and financial information relating to your clients.

A data breach can have detrimental effects for both you and your client which can be costly, time consuming to rectify, and which may cause some serious damage to your firm’s professional reputation.  Additionally, failure to comply with the Notifiable Data Breach Scheme can result in fines of up to $1.8 million.

In order to prevent data breaches, or in the event of a breach, mitigate its effects, there a number of measures that organisations can take:

  1. Familiarise yourself with the Notifiable Data Breach Scheme, including what constitutes an ‘eligible data breach‘ and what your reporting obligations are should a breach occur;
  2. Provide your staff with cyber security training in order to assist them in identifying phishing emails and/or other cyber techniques designed to steal your information;
  3. Regularly change your passwords, ensuring that passwords are strong and secure;
  4. Ensure that only those staff members who require access to a client’s personal and financial information are given access;
  5. If you are using a cloud-computing software environment, ensure that your cloud provider is reputable, well-funded and has sufficient security measures;
  6. Prepare an internal response plan that enables you to identify data breaches, and report all eligible breaches to the OAIC as soon as they occur;
  7. Install security software and/or ensure that any software already in place is up to date and effective; and
  8. Check whether your professional indemnity insurance provides you with adequate protection in the event of a data breach.

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that accountants and financial planners alike are very real targets for cyber-attacks.  As such, Coleman Greig encourages you to be proactive in ensuring that you and your clients are protected by putting appropriate security measures in place.  

If you have a query relating to any of the information in this piece, or you would like to speak with a lawyer in Coleman Greig’s Privacy and Data Protection team in relation to your organisation’s data breach response plan, please don’t hesitate to get in touch:

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

Help! My builder won’t finish the job – what do I do?

It’s normal for building projects to experience setbacks during construction.  However, in extreme cases your builder may suspend works and leave the site or disappear without explanation. This article will explain your available options if your builder won’t return to the site, and how to avoid the common pitfalls which may affect your rights against your builder.

Is your intellectual property secure?

Securing intellectual property (IP) is critical in today’s competitive and increasingly digital landscape. From innovative startups to established enterprises, big or small, safeguarding your business’ intellectual assets can help ensure sustained competitiveness, legal protection and set you up to capitalise on your unique creations.

Out with the old (section 260) and in with the new (Part IVA)

Part IVA overcomes deficiencies of section 260 of the Income Tax Assessment Act (ITAA), exposed by judicial decisions. Part IVA was introduced, albeit with limitations on scope, to provide an appropriate balance between combatting tax avoidance without discouraging commercial and familial transactions.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230