How to handle notifiable data breaches

If you thought that data breaches are confined to larger businesses, think again. The Australian Small Business and Family Enterprise Ombudsman 'Small Business Cyber Security Best Practice Guide' indicates that small business is now the target of approximately 43 per cent of all cyber crime.

Mandatory notification obligation

Schedule 1 of the Privacy Amendment (Notifiable Data Breaches) Act 2017, came into force on 22 Feb 2018 and made it mandatory for all businesses with an annual turnover of more than $3 million to report any eligible data breaches (that contain personal client information) to the Office of the Australian Information Commissioner (OAIC).

The notifiable data breach (NDB) scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988. With penalties of up to $420,000 for individuals and $2.1 million for organisations, the impact of a breach on small businesses can be significant.

The privacy law amendment brought Australia in line with current data breach notification schemes in place in the US and Europe. It is expected that these measures will improve the privacy protection of Australians without placing an unreasonable regulatory burden on business.

Personal information and client expectations

The royal commission into financial services has shown what can happen to financial service businesses when client trust is jeopardised and community expectations are not met.

In an industry where financial advisers are experiencing many changes and challenges and in a world that is becoming increasingly digitised, clients are expecting and demanding more from their adviser. Clients now expect that not only will you help to plan and protect their financial future, but also ensure that the personal information that you hold about them is safe and secure.

A data breach can impact your clients in a number ways such as identity theft, significant financial loss and threats to an individual’s physical safety.

It’s not hard to imagine what would happen to your clients’ trust in your ability to look after their best interests if their personal information that you held was unintentionally lost or intentionally hacked and then used to cause harm to them.

The reason for mandatory data breach notification is that, if an individual is at real risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.

From the 1 April-30 June 2018, the OAIC received 36 data breach notifications for the finance sector, of which 50 per cent were human error (most common error is the sending of personal information to the wrong recipient by email, 47 per cent malicious criminal attack (cyber incidents being the most common type of attack) and 3 per cent system faults.

Almost half of all data breaches that have been reported to the OAIC are the result of malicious criminal attacks that include phishing (compromised credentials) at 50 per cent, compromised or stolen credentials at 36 per cent, ransomware at 7 per cent and brute-force attack at 7 per cent.

What is an eligible data breach?

A data breach generally occurs when you have identified the following:

1. There has been unauthorised access to or unauthorised disclosure of personal information, or a loss (accidental or inadvertent loss of personal information where it is likely to result in unauthorised access or disclosure) of personal information about one or more individuals that your entity holds;
2. This is likely to result in serious harm to one or more individuals; and
3. You have not been able to stop the likely risk of serious harm (can be psychological, emotional, physical, reputational, or other forms of harm) with remedial action.

What are your obligations?

If you suspect that that an eligible data breach has happened, then you must make an assessment into the relevant circumstances within 30 calendar days after the day that you became aware of the grounds (or information) that caused you to suspect an eligible data breach.

Once you become aware that such a breach has occurred, then, as soon as practicable, you must notify the OAIC and affected individuals (unless an exception applies).

The notification must include:

• The identity and contact details of your entity;
• A description of the data breach;
• The kinds of information concerned; and
• Recommendations about the steps that individuals should take in response to the serious data breach.

Steps you can take now to protect your clients and your business

Actions that can help to protect your clients and your business from a data breach include:

1. Review all insurances that cover data loss protection and cyber risk insurance that include client protection and counselling services;
2. Review your IT provider’s services relating to data protection and IT security;
3. Update licensee agreements relating to any updated IT security and insurance requirements;
4. Update policies, processes and procedures and ensure that they contain early detection systems and a data breach response plan to be able to identify and address any data breaches quickly;
5. Provide training to your staff and representatives so that they are aware of their legal obligations and actions they can take to help mitigate the risk of a data breach;
6. Create consistency in how you hold and secure client information i.e. holding client information in a central and secure CRM database can be an effective way to monitor and protect client information. It may also save time and cost if you need to manage any remediation activities resulting from a data breach when compared with managing a plethora of files and folders on remote cloud information storage providers across many representatives that may operate in different locations across Australia; and
7. Ensure any third parties you use that collect or manage your clients data are also insured and have adequate data breach controls in place.

Nikolas Kloufetos, managing director, Advice Compliance Support. Nikolas was named Compliance Consultant of the Year at the 2018 ifa Excellence Awards.

Adrian Flores

Adrian Flores is a deputy editor at Momentum Media, focusing mainly on banking, wealth management and financial services. He has also written for Public Accountant, Accountants Daily and The CEO Magazine.

You can contact him on [email protected].