04

May 2017

Australia’s new data breach notification laws. Are your suppliers ready?

By: Odyssey New Legislation
Tags: cloud, Data breach, Data security, Disclosure, due diligence

With an increase in data now on the cloud, and a number of third party services providers assisting Australian accountants, it’s a good time to look at the ever changing laws on data breaches.

More recently, there was the “Can you hear me” scam reaching Australia. The scammer only needs to record you saying “yes” over the phone. The intention is to use this voice signature later to authorize fraudulent charges by telephone. By itself “yes” seems innocuous, so there must be other data leaking out of the system to make this single syllable response damaging.

There is already a very blurred line around what constitutes confidential information, and what information should and must be released. Currently in the news is CPA Australia who has released a full list of CPA members including their contact details. The accountant responsible for securing this information cited a section from the Corporations Act. This included names, addresses, and when they joined, though later news stories mentioned the email addresses were redacted. This seems a lot of valuable information required to be released.

With this increase in Australian accountants moving data to the cloud, and increasing use of offshore resources, the Australian laws on data breaches would be welcomed by those with confidential data in the hands of their trusted advisors.

The question initially must be: To what extent are foreign services providers required to comply with these laws, especially in the case where foreign workers are provided on a “seat basis”, and to what extent would the Australian accountant and their clients expect disclosure to be made. From the perspective of the “seat basis” provider, you can expect all care will be taken, though probably not a bankable guarantee.

And what happens when the wrong link is clicked at the wrong time. In the news recently was the Google docs phishing attack, that deploys a third party app to obtain information. The invitation routes through Google’s real system, and nothing appears out of the ordinary until it is too late.

With increasing complexity of attacks, the responsibility for the data loss must fall to the Australian accountant when “seat basis” staff are deployed, or to the provider when third party providers are deployed. However, when those third parties aren’t subject to Australian legislation, then difficulties arise.

It can be expected that the buck will stop with the responsible Australian entity.

A data breach is classified as an instance where there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”. An “eligible data breach” when there is a likelihood that the individuals who are affected by the incident are at “risk of serious harm” because their information have been exposed.

The best way to avoid being famous is to ensure that your systems are tight, your employees are kept up to date with the latest threats, and that your cloud / Outsourcing partners are subject to the same data breach laws as you are.

A good due diligence will go a long way to ensure that you won’t need to be notifying the Privacy commissioner and affected customers.