In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?
Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk and give the regulator greater information-sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?
If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and is destroyed.
The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “require the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.
Lessons from RI Advice
Australian Competition and Consumer Commission v RI Advice Group Pty Ltd was a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC is willing to pursue not just companies that breach their duty of care but the directors and officers involved.
RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at the practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:
- Computer systems that did not have up-to-date antivirus software installed and operating
- No filtering or quarantining of emails
- No backup systems or back-ups are being performed; and
- Poor password practices include sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
RI Advice took steps to manage its cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement.
RI Advice was ordered to pay $750,000 towards ASIC’s costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
Shakespeare Cybersecurity
At Shakespeare, we understand the importance and complexities of cyber threats and information security in financial services. We appreciate that cybersecurity is a significant issue and our investment in cybersecurity is a priority.
At Shakespeare, our integrated cybersecurity risk management strategy involves the resources and activities of the entire organisation. Our view is that cybersecurity starts with people. All the staff at Shakespeare Financial Group regularly undergo cyber awareness training from our team of IT experts.
We have a continual improvement program regarding cybersecurity, with our client’s data and confidentiality of crucial importance.
Contact us if you would like further advice on privacy breaches or for more information on our security measures.
Recent Comments