Now that many small businesses are required to report and respond to a data breach – and do so within 30 days – it pays to have a response plan in place to protect client confidence and avoid reputational damage. All public practices must now pre-plan for if the worst happens.
By Adam Turner and Jacqueline Blondell
Data breaches are no longer just a major concern for big businesses. Now that it is mandatory for any business that holds a tax file number (TFN) to report data breaches likely to result in serious harm to those whose data is affected, it’s vital that all smaller public practices and many of their SME clients have in place a current incident response plan.
How mandatory reporting affects practitioners
If that plan is not in writing it doesn’t exist and if it isn’t tested, it will almost certainly have no value. As Paul Kallenbach, partner at the law firm MinterEllison warns: it is no longer a question of “if” a business [of any size] will come under cyberattack, but “when”.
"You're never going to eliminate the risk,” Kallenbach concedes. “Instead, it’s a matter of managing that risk, which means all businesses must take a risk-based approach to data breaches in line with their cybersecurity profile.”
The Notifiable Data Breaches scheme – resources for agencies and organisations
The Notifiable Data Breaches (NDB) scheme applies to Australian businesses with turnover exceeding A$3 million, although the small business exemption is not applicable if a business provides health services, trades in personal information, is a credit reporting body or related to an entity subject to Australian Privacy Principles (APPs), as defined in the Privacy Act.
Further, the NDB scheme applies to any business that holds TFN information, regardless of turnover, where the data breach relates to TFNs.
Size is irrelevant to best practice when it comes to reputational risk
In addition to data breach reporting being mandatory from 22 February 2018, the Office of the Australian Information Commissioner (OAIC) has run a voluntary data breach reporting scheme for several years.
Kallenbach advises that even small businesses should view the voluntary reporting of breaches as best practice.
Data security is not exclusive to IT
"In light of cases like this we've had expressed pronouncements by ASIC and the SEC [the US Securities and Exchange Commission] that organisations shouldn’t treat data breaches as simply an IT problem,” Kallenbach says.
He adds: "There is a trend of malicious criminal activity targeting the health and services sectors, which means that accountants and other professional services organisations really need to understand that they are exposed to significant risk.”
The plan should also address communicating with the Office of the Australian Information Commissioner and if applicable, law enforcement agencies, although the obligation to report incidents can vary from state to state.
While police often lack the resources to deal with small-scale cyberattacks, Kallenbach says the Australian Cyber Security Centre encourages organisations to report attacks via their website, so they can maintain a holistic view of Australian cybercrime.
The need to notify insurers can also be overlooked in a data breach response plan, Kallenbach notes.
"That is an increasingly important piece of the plan, because cyber insurance can pay some of the costs of investigation and response but, if you have an insurance policy, chances are there will be an obligation to notify your insurer,” he warns.
“If you forget, you might compromise your coverage.”
"Even if some of your data is exempt under the Act, that's not going to shield you from reputational risk if employee data is breached, so it’s something you still might need to address in your response plan to ensure you haven't left your organisation exposed.”
CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
Practitioner awareness case study
The serious consequences of cybercriminals invading companies’ computer systems came to the attention of Murray Wyatt FCPA, of Melbourne firm Morrows, when some of his clients reported instances of data breaches.
“It certainly raised our awareness”, says Wyatt, who shortly after attended a conference on the topic where he was again surprised to discover just how many people attending on the day admitted to having their systems breached.
It was then that he recommended to his partners that they put in place a data breach response program, which included upgrading the firm’s software security, purchasing cyber insurance and educating staff on the importance of careful password control.
“It’s about being chronically aware and chronically suspicious,” he says, noting the firm receives around 10 “dodgy” emails a week.
Wyatt places great importance on cyber insurance for practitioners, who generally handle clients’ sensitive personal details, including tax file numbers.
“It’s about being chronically aware and chronically suspicious,” Murray Wyatt FCPA.
“I think it should be mandated for anyone with a practising certificate,” he says.
“Once your data has been breached you need to know how [the hackers] got in and just what they do have.
“If you immediately contact your insurer, they usually provide forensic specialists to investigate this.”
Wyatt also notes that cyber insurance policies may provide crisis specialists to help businesses manage the public fallout from a data breach.
“The consequences of breach may take time to surface,” he notes. “Hackers could invade your system at the end of a financial year and sit on any personal information they may have scraped for months until they decide to act.”
Email is a favourite way for hackers to penetrate a business, which is why Morrows doesn’t email sensitive client information, instead using an encrypted product ShareFile to send such documents. The firm also uses accounting software that requires two-factor authentication, also known as 2FA.
“Practitioners purchasing software should be aware of this asset. Until recently, one of the major packages did not have this in place.”
The firm has also moved to a more sophisticated password system.
“We use passwords that tell a story, so are easy for the user to remember but difficult for others to discern,” he explains. Morrows also emphasises to staff that it is their personal responsibility not to share passwords with anyone, and they must scrutinise any incoming emails, even the most seemingly innocuous ones.
“You really have to embed it in the culture,” he says. “[Hacking] used to be a very strange thing, but now the number of attacks is very prolific. These types of emails are looking more and more real.
“Think of the consequences. Hackers can scrape your details and a little while later the money will be gone, never to be recovered, or they could [simply destroy your system with] ransomware or malware”.
Notifiable Data Breaches scheme: how to notify
Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988
MinterEllisons’ 2018 Perspectives on Cyber Risk
Notifiable Data Breaches second quarterly report released