Notifiable Data Breach

By Tyler W.

July 03, 2020

Notifiable Data Breach

NFB is a thing, and you need to be compliant.

New rules are generally not brought to our attention until we break them. The Notifiable Data Breach system could very well be something similar. In the age of cloud technology and information transference it is easy for a document to be leaked out of a secure system or an email to be sent awry. We can be our own worst enemies, and sometimes a data breach is not the result of an external hack, as much as we would prefer it to be. Yes phishing (vishing [voice phishing] and smashing [text phishing]) are still a massive source of the intrusions, and leaks.

Phishing is still a successful means of cyber attacks.

When you suffer an attack, or an unintentional data leak, historically, there was no recourse. Your punishment was essentially the disruption to your business, restoring systems back online and then investing in new and improved technology and education to ensure it didn’t happen again. However, that simply is no longer the case, with certain breaches being required to be reported. If you are bound by the Privacy Act of 1988 then you are obliged to notify the affected individuals. This could can have significant consequences to the relationship and trust, if a client believes their financial or legal information has escaped. Financial and legal professionals deal in incredibly sensitive information, and that is effectively the product. It should be secure the same way you would protect a warehouse full of merchandise.

While the Privacy Act is designed to protect individuals and their relationships with Government Agencies, obviously it reaches far further. Any organisation with turnover greater than $3 million per annum is bound by the terms of the Privacy act, in addition to:

• a private sector health service provider — an organisation that provides a health service includes:

• a traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
• a complementary therapist, such as a naturopath and a chiropractor
• a gym or weight loss clinic
• a child care centre, a private school and a private tertiary educational institution

• a business that sells or purchases personal information
• a credit reporting body
• a contracted service provider for a Australian Government contract
• an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009
• a business that has opted-in to the Privacy Act
• a business that is related to a business that is covered by the Privacy Act
• a business prescribed by the Privacy Regulation 2013

The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. These are collectively referred to as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

Dealing in tax file numbers all day places an accountant at the centre of this (in addition to any other business entity that may have access to tax file numbers). Should a breach occur, and a tax file number be leaked then this would be a notifiable data breach. The TFN Rule provides guidance on the collection, storage, use, disclosure security and disposal of (individuals) tax file numbers. This TFN rule is a legally binding rule, and a breach would see that party run afoul of the Privacy Act. If an individual believes a breach has occurred, they can make a formal complaint to the Office of the Australian Information Commissioner (OAIC).

Due to the higher level of risk accountants / tax agents and legal professionals can find themselves in it is imperative that measures are taken to ensure that a breach does not occur. Not only could a breach be professionally embarrassing it could place the client / individual at unnecessary risk. Some things are bigger than business reputation, and when you think about the personal data that tax agents and legal professionals have, there is enough to conduct substantial identify theft (should this be what the breach was for).

You need to be on the front foot in this regard and protect your data. To help you achieve a secure digital environment we suggest the following, as a minimum:

1. Encrypt everything – your files, your emails and your internal messaging. Most cloud file storage solutions allow a level of encryption (we use sync.com), email encryption is arguably an inconvenience, but necessary (you can use Proton or Tutanota among others, or if digitally advanced look at PGP encryption). To encrypt your internal communications we recommend Signal.
2. Keep your wifi password private and do not let ‘unknowns’ join your network. If you need to share internet access then look at guest networks from your own router. We wrote this earlier about wifi hygiene.
3. Have an air gapped machine to open downloaded / suspect files, and also for the transference of any USB data. This prevents malicious attacks via a USB or downloaded file being able to jump across the network and cripple you.
4. Avoid the “sync” application that cloud storage providers (e.g. Dropbox, OneDrive / Sharepoint, Sync) offer so you can keep and edit files locally. This is just what Ransomware wants!
5. Backup! Is this even a surprise anymore. I would think nearly everyone does this religiously, but it is still the best failsafe you can have.

Suffering a data breach is invasive, disruptive and add s a level of anxiety and distrust to your technology solutions that need not be there if you have taken the adequate internal precautions. To add insult to injury these also need to be reported, and is why it is so important that you address data protection with the level of importance and priority it deserves. Data protection does not need to be complex. I akin to the lock on your front door of your house. You do not need to have the strongest lock on the market to avoid being broken into, generally, any functioning lock will do; however, if someone really wants to break in they will find a way. Data protection is about providing a deterrent to the bad guys, so they move on, and it is someone else, not you, that has to make the notifiable data breach. Please secure your data, not just because we have asked you to, but because you have to!