Being the victim of a data breach can be daunting and can result in significant damage to your business. It is important to know what your obligations are and how to protect your clients and your business.
If you thought that data breaches are confined to larger businesses, think again. The Australian Small Business and Family Enterprise Ombudsman 'Small Business Cyber Security Best Practice Guide' indicates that small business is now the target of approximately 43 per cent of all cyber crime.
Mandatory notification obligation
Schedule 1 of the Privacy Amendment (Notifiable Data Breaches) Act 2017, came into force on 22 Feb 2018 and made it mandatory for all businesses with an annual turnover of more than $3 million to report any eligible data breaches (that contain personal client information) to the Office of the Australian Information Commissioner (OAIC).
The notifiable data breach (NDB) scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988. With penalties of up to $420,000 for individuals and $2.1 million for organisations, the impact of a breach on small businesses can be significant.
The privacy law amendment brought Australia in line with current data breach notification schemes in place in the US and Europe. It is expected that these measures will improve the privacy protection of Australians without placing an unreasonable regulatory burden on business.
Personal information and client expectations
The royal commission into financial services has shown what can happen to financial service businesses when client trust is jeopardised and community expectations are not met.
In an industry where financial advisers are experiencing many changes and challenges and in a world that is becoming increasingly digitised, clients are expecting and demanding more from their adviser. Clients now expect that not only will you help to plan and protect their financial future, but also ensure that the personal information that you hold about them is safe and secure.
A data breach can impact your clients in a number ways such as identity theft, significant financial loss and threats to an individual’s physical safety.
It’s not hard to imagine what would happen to your clients’ trust in your ability to look after their best interests if their personal information that you held was unintentionally lost or intentionally hacked and then used to cause harm to them.
The reason for mandatory data breach notification is that, if an individual is at real risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.
From the 1 April-30 June 2018, the OAIC received 36 data breach notifications for the finance sector, of which 50 per cent were human error (most common error is the sending of personal information to the wrong recipient by email, 47 per cent malicious criminal attack (cyber incidents being the most common type of attack) and 3 per cent system faults.
Almost half of all data breaches that have been reported to the OAIC are the result of malicious criminal attacks that include phishing (compromised credentials) at 50 per cent, compromised or stolen credentials at 36 per cent, ransomware at 7 per cent and brute-force attack at 7 per cent.
What is an eligible data breach?
A data breach generally occurs when you have identified the following:
What are your obligations?
If you suspect that that an eligible data breach has happened, then you must make an assessment into the relevant circumstances within 30 calendar days after the day that you became aware of the grounds (or information) that caused you to suspect an eligible data breach.
Once you become aware that such a breach has occurred, then, as soon as practicable, you must notify the OAIC and affected individuals (unless an exception applies).
The notification must include:
Steps you can take now to protect your clients and your business
Actions that can help to protect your clients and your business from a data breach include:
Nikolas Kloufetos, managing director, Advice Compliance Support. Nikolas was named Compliance Consultant of the Year at the 2018 ifa Excellence Awards.
Adrian Flores is a deputy editor at Momentum Media, focusing mainly on banking, wealth management and financial services. He has also written for Public Accountant, Accountants Daily and The CEO Magazine.
You can contact him on [email protected].
Deep value investor Warren Buffett once said: “It’s far better to buy a wonderful company at a fair price than a fair ...
There is a third document that a provider of personal advice can use that is less commonly known or used than the ...
BT’s technical services team regularly answers questions on superannuation strategies from advisers. In one scenario, a ...
Never miss the stories that impact the industry.
Get the latest news! Subscribe to the ifa bulletin