Australian accounting and financial services firms are key targets for data breaches as the client, staff and commercial records they hold are commonly used to commit tax-refund fraud, superannuation fraud, identity theft and financial fraud against firm clients. This article provides an overview of some of the legal and regulatory risks facing Australian firms when they suffer serious third party intrusions or lose personal or sensitive records.
Many Australian financial services organisations are now subject to Australia’s Mandatory Data Breach Notification Regime (which came into effect on 22 February 2018) and must now promptly investigate and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where an “eligible data breach” occurs.
Financial services firms are stewards of sensitive client information and have common law and statutory duties to protect their clients and their clients’ data. They must take reasonable steps to protect the data in their custody and control, and to carefully investigate third party intrusions and security events. Consequently, where a firm suspects it may have suffered a data breach, specialist legal advice should be sought as soon as possible. Consistent with their obligations to protect personal information, firms should also consider the following as part of their compliance and response strategy:
- Events leading to an intrusion can demonstrate substantive breaches of obligations the organisation may owe under the Privacy Act 1988 (Cth) (Privacy Act).
- From 22 February 2018, organisations must investigate suspected data breaches, and notify the Australian Information Commissioner and impacted individuals if they suffer an “eligible data breach”.
- Data breach events can potentially contravene legislative prohibitions that organisations cannot request, record, use or disclose tax file numbers for non-permitted purposes.
- Guidance has been provided by the Australian Tax Office (ATO) for managing data breach incidents, and the ATO has requested that it be notified of certain data breach events.
- Firms owe common law, contractual, statutory and fiduciary duties that should be carefully analysed in the course of triaging and responding to breach events.What records are targeted?
What records are targeted?
The ATO guidelines describe a data breach as an event that occurs when confidential information “has been accessed by an unauthorised third party".1 Commonly, attacks against financial services firms target confidential information, including employee payroll data, tax and superannuation information, confidential business documents, banking details, and any personal information in the care, custody, or control of an organisation.
Privacy Act obligations
The Privacy Act regulates how Australian organisations can collect, protect, use and disclose personal information.2 Personal information is defined as information or an opinion (which may not necessarily be true) about an identified individual, or an individual who is reasonably identifiable3 and commonly includes client information such as tax file numbers, bank account details, full names, address details or phone numbers.
A key obligation is contained in APP 11.1 of the Privacy Act, which requires an organisation to take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure. Other relevant obligations include taking reasonable steps to destroy or de-identify personal information that is no longer needed, and to only use or disclose personal information for the purpose for which it was collected. Compliance with these obligations requires consideration of all relevant circumstances and the individual protections and procedures adopted by the firm.
Financial services and tax firms must be mindful of their Privacy Act obligations due to the volume of personal information which they collect, and the extent to which this information is relied upon to deliver services to their clients. These organisations must also carefully consider the relationships they have with third party providers, as they can be responsible for any losses of personal information that are caused by those services providers.
The OAIC enforces compliance with the Privacy Act and has the power to investigate privacy complaints, commence an own motion investigation, accept an enforceable undertaking, and impose civil penalties of up to 2000 penalty units upon a non-compliant entity.
Mandatory Data Breach Notification Regime
Australia’s new Mandatory Data Breach Notification Regime commenced on 22 February 2018 and will require many financial and tax firms to notify the Australian Information Commissioner of suspected data breaches affecting personal information, credit information or tax file numbers. A breach of this notification obligation may attract significant fines, and result in investigations by the OAIC.
Tax File Number obligations
The Taxation Administration Act 1953 (the TA Act) and the Privacy (Tax File Number) Rule 2015 (TFN Rule) limit the ways in which organisations can use Tax File Numbers (TFNs). Under the TA Act, it is an offence to request, record, use or disclose TFNs unless as strictly permitted by the legislation. Breaches of these provisions can result in a fine of up to 100 penalty units and/or two years imprisonment.
The TFN Rule further prohibits tax professionals, and any TFN recipient, from recording, collecting, using or disclosing TFN information unless permitted under taxation, personal assistance or superannuation law. A TFN recipient includes any person, agency, organisation or other entity that is in possession or control of a record that contains TFN information, such as tax agents and accountants.
The Australian Information Commissioner is equipped with powers to monitor practices relating to TFNs and evaluate compliance with the TFN Rule, investigate the security and accuracy of TFN information an organisation holds, and provide advice to TFN recipients regarding their privacy obligations.
Where financial services firms hold TFN records, specific steps should be taken to ensure these records are protected, and that policies and procedures are in place to demonstrate compliance with the TA Act and the TFN Rule.
The ATO’s role and recommendations
The ATO has recommended that financial services firms report data breaches to the ATO in order to reduce the risk of fraud events being committed against Australian citizens.4 The ATO also recommends that affected businesses inform impacted clients and staff of a data breach and to contact the relevant software provider if a data breach incident originated in one of their service offerings.
Engaging with the ATO after a data breach can provide an organisation with valuable resources and support, however any notification should be carefully considered in light of the organisation's legal and regulatory obligations and specialist legal advice should be sought in this regard.
The ATO can take steps to help protect compromised client records through monitoring processes, identification alerts, and by assigning a data breach manager to an affected practice. The ATO has provided recommendations on the steps organisations should take to meet their data security and privacy obligations and has recommended (amongst other things) that organisations take steps to ensure that security software and controls are up to date, and that systems access is reviewed to remove employees who no longer require it.5
Firm should familiarise themselves with these recommendations and consider the adequacy of their internal policy and procedure documents. Where there is uncertainty around the adequacy of policy and internal governance documents, legal advice should be sought.
Other legal duties
Financial services and taxation firms also owe common law and fiduciary duties to their clients, which require firms to take reasonable steps to protect their clients from harm, exercise due care and skill in their dealings, and comply with duties of confidence they owe to clients. Other legal obligations can arise from the terms of specific client retainers, the terms of third party contracts and under the principles of equity.
In overseas jurisdictions, accounting and financial service firms that suffer data breaches commonly face third party claims which:
- Demand compensation for individuals impacted by a breach;
- Seek recovery of costs and expenses incurred by third parties to remediate fraud which resulted from the breach;
- Demand termination of a contract and/or pursue contractual damages on behalf of customers, suppliers and business partners; and
- Can include allegations that security events were caused by a breach of a director's duties.
These organisations are also commonly subject to investigations and complaints made to regulatory bodies.
The impact of the potential third party risks should be carefully considered when developing a strategy to respond to any significant breach event.
Increasingly, firms are also considering their recovery options for data breach losses, and the extent to which third party providers may be liable for a security event sustained by an organisation. This is developing area, and obtaining prompt legal advice can help firms identify potential recovery avenues