security lock with a hole on computer circuit board - computer security concept

A few months on: What has the Notifiable Data Breach Scheme taught us?

By now, Coleman Greig expects that many of our readers would have been made aware of the new Notifiable Data Breach Scheme, which came into effect in Australia from 22 February 2018 (in fact, we published an article on the incoming scheme back in 2017).

The Notifiable Data Breach Scheme can be found in Part IIIC of the Privacy Act 1988 (Cth), which sets out the exact definition of an ‘eligible data breach’, as well as the obligations and steps that organisations are required to follow in the event of an eligible data breach.  The Notifiable Data Breach Scheme applies to accountants, financial planners and all other businesses/entities with an annual turnover of $3 million or more.

With the Notifiable Data Breach Scheme having now been in operation for close to 9 months, Coleman Greig has decided to take a detailed look at what the current statistics are saying, as well as what organisations are able to glean from them in order to effectively protect both themselves and their clients from cyber-attacks.

What the statistics say

As part of their Notifiable Data Breaches Quarterly Statistics Report, the Office of the Australian Information Commissioner (OAIC) received notification of 245 data breaches between 1 July and 30 September 2018.  Of those reported data breaches, 85% involved the collection of personal information, such as home addresses, phone and email addresses, whilst 45% of all data breaches involved the collection of financial details.  Financial details include bank account details, credit card numbers and tax file numbers.

The data reveals that the finance sector is particularly susceptible to data breaches, with 14% of all breaches during the July to September quarter having been reported by accountants, financial planners, superannuation providers and other financial entities.  This reported percentage meant that the financial industry was one of the two industry sectors hit hardest by data breaches, with health service providers leading the charge.

Alarmingly, the statistics released by the OAIC reveal that 57% of all data breaches had occurred as a result of malicious criminal attacks which were intentionally planned and carried out.  These types of attacks can range from phishing emails designed to trick you into giving a hacker access to your information systems, all the way to sophisticated intrusions into your IT systems through the impersonation of employees.

The other large portion of data breaches (37%) occurred as a result of human error, such as unauthorised disclosure of client information by failing to redact sensitive information or simply emailing documents to the wrong recipient.

Within the finance sector, 48% of all data breaches occurred due to human error, whilst 45% occurred due to a malicious criminal attack.

What does this mean for accountants and financial providers?

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that protecting client information and ensuring that you have appropriate cyber security measures in place is absolutely crucial.  As an accountant and/or financial planner, it is highly likely that you both store and have access to large volumes of personal and financial information relating to your clients.

A data breach can have detrimental effects for both you and your client which can be costly, time consuming to rectify, and which may cause some serious damage to your firm’s professional reputation.  Additionally, failure to comply with the Notifiable Data Breach Scheme can result in fines of up to $1.8 million.

In order to prevent data breaches, or in the event of a breach, mitigate its effects, there a number of measures that organisations can take:

  1. Familiarise yourself with the Notifiable Data Breach Scheme, including what constitutes an ‘eligible data breach‘ and what your reporting obligations are should a breach occur;
  2. Provide your staff with cyber security training in order to assist them in identifying phishing emails and/or other cyber techniques designed to steal your information;
  3. Regularly change your passwords, ensuring that passwords are strong and secure;
  4. Ensure that only those staff members who require access to a client’s personal and financial information are given access;
  5. If you are using a cloud-computing software environment, ensure that your cloud provider is reputable, well-funded and has sufficient security measures;
  6. Prepare an internal response plan that enables you to identify data breaches, and report all eligible breaches to the OAIC as soon as they occur;
  7. Install security software and/or ensure that any software already in place is up to date and effective; and
  8. Check whether your professional indemnity insurance provides you with adequate protection in the event of a data breach.

The statistics published in the OAIC’s Notifiable Data Breaches Quarterly Statistics Report show us that accountants and financial planners alike are very real targets for cyber-attacks.  As such, Coleman Greig encourages you to be proactive in ensuring that you and your clients are protected by putting appropriate security measures in place.  

If you have a query relating to any of the information in this piece, or you would like to speak with a lawyer in Coleman Greig’s Privacy and Data Protection team in relation to your organisation’s data breach response plan, please don’t hesitate to get in touch:


Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.


More posts

Understanding roles in the strata scheme

A strata scheme is a building or group of buildings that have been divided into lots which can be apartments, villas, offices, units or townhouses. This will be articulated in the strata plan.

Can i put my home on Airbnb?

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months?  The answer to this question has only recently been settled.

Proposed changes to building and construction law in NSW

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Can you dismiss an employee who fails to return to the office?

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

The NSW Building Commission’s extraordinary powers

In late 2023, the NSW Government passed the Building Legislation Amendment Bill 2023 (Amendment Bill). The Amendment Bill established the NSW Building Commission and granted it extraordinary powers to enter construction sites, inspect work and take away information and materials.

© 2024 Coleman Greig Lawyers   |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230