Being the victim of a data breach can be daunting and can result in significant damage to your business. It is important to know what your obligations are and how to protect your clients and your business.
Mandatory notification obligation
Schedule 1 of the Privacy Amendment (Notifiable Data Breaches) Act 2017, came into force on the 22 February 2018 and made it mandatory for all businesses with an annual turnover of more than $3 million to report any eligible data breaches (that contain personal client information) to the Office of the Australian Information Commissioner (OAIC).
The Notifiable Data Breach (NDB) scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act). With penalties of up to $420,000 for individuals and $2.1 million for organisations, the impact of a breach on small businesses can be significant.
The privacy law amendment brought Australia in line with current data breach notification schemes in place in the US and Europe. It is expected that these measures will improve the privacy protection of Australians without placing an unreasonable regulatory burden on business.
Personal information and client expectations
The royal commission into financial services has shown what can happen to financial service businesses when client trust is jeopardised and community expectations are not met.
In an industry where financial advisers are experiencing many changes and challenges, and in a world that is becoming increasingly digitised, clients are expecting and demanding more from their adviser. Clients now expect that not only will you help to plan and protect their financial future, but also ensure that the personal information that you hold about them, is safe and secure.
A data breach can impact your clients in a number ways such as, identity theft, significant financial loss and threats to an individual’s physical safety.
It’s not hard to imagine what would happen to your clients’ trust in your ability to look after their best interests, if their personal information that you held was unintentionally lost or intentionally hacked and then used to cause harm to them.
The reason for mandatory data breach notification is that, if an individual is at real risk of serious harm because of a data breach involving their personal information, receiving notification of the breach can allow that person to take action to protect themselves from that harm. For example, an affected individual might change an online password or cancel a credit card after receiving notification that their personal information has been compromised in a data breach.
From the 1 April – 30 June 2018, the OAIC received 36 data breach notifications for the finance sector of which 50 per cent were human error (most common error is the sending of personal information to the wrong recipient by email, 47 per cent malicious criminal attack (cyber incidents being the most common type of attack) and 3 per cent system faults.
Almost half of all data breaches that have been reported to the OAIC are the result of malicious criminal attacks that include Phishing (compromised credentials) 50 per cent, Compromised or stolen credentials at 36 per cent, Ransomware at 7 per cent, and Brute-force attack at 7 per cent.
What is an eligible data breach?
A data breach generally occurs when you have identified the following:
1. There has been unauthorised access to or unauthorised disclosure of personal information, or a loss (accidental or inadvertent loss of personal information where it is likely to result in unauthorised access or disclosure) of personal information about one or more individuals that your entity holds.
2. This is likely to result in serious harm to one or more individuals; and
3. You have not been able to stop the likely risk of serious harm (can be psychological, emotional, physical, reputational, or other forms of harm) with remedial action.
What are your obligations?
If you suspect that that an eligible data breach has happened, then you must make an assessment into the relevant circumstances within 30 calendar days after the day that you became aware of the grounds (or information) that caused you to suspect an eligible data breach.
Once you become aware that such a breach has occurred, then, as soon as practicable, you must notify the OAIC and affected individuals (unless an exception applies).
The notification must include:
• The identity and contact details of your entity
• A description of the data breach
• The kinds of information concerned, and
• Recommendations about the steps that individuals should take in response to the serious data breach.
Steps you can take now to protect your clients and your business
Actions that can help to protect your clients and your business from a data breach include:
1. Review all insurances that cover data loss protection and cyber risk insurance that include client protection and counselling services.
2. Review your IT provider’s services relating to data protection and IT security.
3. Update licensee agreements relating to any updated IT security and insurance requirements.
4. Update policies, processes and procedures and ensure that they contain early detection systems and a data breach response plan to be able to identify and address any data breaches quickly.
5. Provide training to your staff and representatives so that they are aware of their legal obligations and actions they can take to help mitigate the risk of a data breach.
6. Create consistency in how you hold and secure client information, i.e. holding client information in a central and secure CRM database can be an effective way to monitor and protect client information. It may also save time and cost if you need to manage any remediation activities resulting from a data breach when compared to managing a plethora of files and folders on remote folders, cloud information storage providers across many representatives that may operate in different locations across Australia.
7. Ensure any third parties you use that collect or manage your clients data are also ensured and have adequate data breach controls in place.
Advice Compliance Support makes no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Inadvertent errors can occur and applicable laws, rules and regulations may change.
The information contained in this article is general and is not intended to serve as advice be it legal advice/opinion or otherwise. No warranty is given in relation to the accuracy or reliability of any information. Users should not act or fail to act on the basis of information contained in this article or on this site. All data and information provided here and on this site is for informational purposes only.