A few months on: What has the Notifiable Data Breach Scheme taught us?

James Ferguson

By now, Coleman Greig expects that many of our readers would have been made aware of the new Notifiable Data Breach Scheme, which came into effect in Australia from 22 February 2018 (in fact, we published an article on the incoming scheme back in 2017).

The Notifiable Data Breach Scheme can be found in Part IIIC of the Privacy Act 1988 (Cth), which sets out the exact definition of an 'eligible data breach', as well as the obligations and steps that organisations are required to follow in the event of an eligible data breach.  The Notifiable Data Breach Scheme applies to accountants, financial planners and all other businesses/entities with an annual turnover of $3 million or more.  

With the Notifiable Data Breach Scheme having now been in operation for close to 9 months, Coleman Greig has decided to take a detailed look at what the current statistics are saying, as well as what organisations are able to glean from them in order to effectively protect both themselves and their clients from cyber-attacks.

What the statistics say

As part of their Notifiable Data Breaches Quarterly Statistics Report, the Office of the Australian Information Commissioner (OAIC) received notification of 245 data breaches between 1 July and 30 September 2018.  Of those reported data breaches, 85% involved the collection of personal information, such as home addresses, phone and email addresses, whilst 45% of all data breaches involved the collection of financial details.  Financial details include bank account details, credit card numbers and tax file numbers.

The data reveals that the finance sector is particularly susceptible to data breaches, with 14% of all breaches during the July to September quarter having been reported by accountants, financial planners, superannuation providers and other financial entities.  This reported percentage meant that the financial industry was one of the two industry sectors hit hardest by data breaches, with health service providers leading the charge.

Alarmingly, the statistics released by the OAIC reveal that 57% of all data breaches had occurred as a result of malicious criminal attacks which were intentionally planned and carried out.  These types of attacks can range from phishing emails designed to trick you into giving a hacker access to your information systems, all the way to sophisticated intrusions into your IT systems through the impersonation of employees.

The other large portion of data breaches (37%) occurred as a result of human error, such as unauthorised disclosure of client information by failing to redact sensitive information or simply emailing documents to the wrong recipient.

Within the finance sector, 48% of all data breaches occurred due to human error, whilst 45% occurred due to a malicious criminal attack.

What does this mean for accountants and financial providers?

The statistics published in the OAIC's Notifiable Data Breaches Quarterly Statistics Report show us that protecting client information and ensuring that you have appropriate cyber security measures in place is absolutely crucial.  As an accountant and/or financial planner, it is highly likely that you both store and have access to large volumes of personal and financial information relating to your clients.

A data breach can have detrimental effects for both you and your client which can be costly, time consuming to rectify, and which may cause some serious damage to your firm's professional reputation.  Additionally, failure to comply with the Notifiable Data Breach Scheme can result in fines of up to $1.8 million.

In order to prevent data breaches, or in the event of a breach, mitigate its effects, there a number of measures that organisations can take:

  1. Familiarise yourself with the Notifiable Data Breach Scheme, including what constitutes an 'eligible data breach' and what your reporting obligations are should a breach occur;
  2. Provide your staff with cyber security training in order to assist them in identifying phishing emails and/or other cyber techniques designed to steal your information;
  3. Regularly change your passwords, ensuring that passwords are strong and secure;
  4. Ensure that only those staff members who require access to a client's personal and financial information are given access;
  5. If you are using a cloud-computing software environment, ensure that your cloud provider is reputable, well-funded and has sufficient security measures;
  6. Prepare an internal response plan that enables you to identify data breaches, and report all eligible breaches to the OAIC as soon as they occur;
  7. Install security software and/or ensure that any software already in place is up to date and effective; and
  8. Check whether your professional indemnity insurance provides you with adequate protection in the event of a data breach.

The statistics published in the OAIC's Notifiable Data Breaches Quarterly Statistics Report show us that accountants and financial planners alike are very real targets for cyber-attacks.  As such, Coleman Greig encourages you to be proactive in ensuring that you and your clients are protected by putting appropriate security measures in place.  

If you have a query relating to any of the information in this piece, or you would like to speak with a lawyer in Coleman Greig's Privacy and Data Protection team in relation to your organisation's data breach response plan, please don't hesitate to get in touch: