Once an accountant just did accounting. Sure, there were regulations to comply with and training requirements to meet. But now? Compliance is king and keeping up with it all is not just taxing, it’s the law.
Having the responsibility for storing clients’ valuable personal information makes accountants particularly vulnerable to data breaches and cyber-attacks, adding to the pressure on them to ensure they’re compliant, and not exposed to hefty penalties.
To shed some light on that compliance burden, the Tax Practitioners Board (TPB) and the Office of the Australian Information Commissioner (OAIC) and Fenton Green updated practitioners on practical strategies to deal with this growing risk to accountancy practices at a recent webinar on privacy, data and cyber security compliance obligations hosted by Thomson Reuters.
Connor Dilleen, Director of the Dispute Resolution Branch at the OAIC, Greg Lewis, member of the TPB and Drew Fenton, Managing Director of Fenton Green spoke of the increase in data and compliance breaches in the profession, which has seen accounting and finance score in the top three of the sectors suffering the most breaches.
The presenters received more than 50 questions covering a wide range of topics in the live Q&A session, a sign of the thirst for knowledge in the area.
Here is an edited snapshot of those questions and answers, prepared by our esteemed speakers.
Q: If your systems are in the cloud – do you need protection?
A: Australian Privacy Principle (APP) 11 requires APP entities to take reasonable steps to secure the personal information it holds from misuse, interference or loss, as well as unauthorised access, modification or disclosure. As such, where an entity holds personal information of individuals in the cloud or other online storage systems, APP 11 would require the entity to take steps to secure the personal information held in that system. Further information about ICT and Access Security measures can be found in the OAIC’s Guide to securing personal information. Additionally, the Australian Cyber Security Centre has published some general advice that might help you resolve this question: cyber.gov.au/publications/small-business-cyber-security-guide and cyber.gov.au/advice/cloud-computing-security and cyber.gov.au/publications/cloud-computing-security-considerations
Q: Is the requirement to obtain permission to disclose in writing a requirement or advisable ? Is an email providing permission sufficient and considered to be “in writing”?
A: We highly recommend that you obtain written permission by way of a signed letter of engagement or signed consent. You could also obtain permission via email or other communication with the client.
Q: Have there been any complaints/ decisions before the TPB in relation to failure to comply with the TPB’s Code of Conduct taking appropriate reasonable steps regarding cyber-attacks?
A: Yes, we have had some cases come before the Board, including cases of insider threats exposed where employees of tax agents circumvented internal IT controls to steal identity information for personal benefit. We also had a couple of cases where tax practitioners have been reckless in their application of cyber security controls which led to the access to and theft of taxpayer information to which the tax practitioners had Code of Conduct obligations to protect.
Q: If the client requests a copy of their income tax return be emailed to them (which includes personal information), and then an identify fraud occurs, is the accounting firm liable?
A: 11 requires APP entities to take reasonable steps to secure the personal information it holds from misuse, interference or loss, as well as unauthorised access, modification or disclosure. Where there may be unauthorised access to personal information which results in identity fraud, the OAIC may make inquiries of the entity regarding the steps it took to secure the personal information prior to its disclosure. Where records containing personal information are sent via email, entities may wish to consider steps such as secure/encrypted email services and/or the use of password protection on documents containing sensitive information, in order to limit the risk of unauthorised access or disclosure. Further information can be found in the OAIC’s Guide to securing personal information: oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information
Q: What about data that you include on your laptop for your clients? Should this be in an online platform rather than on a desktop?
A: 11 requires APP entities to take reasonable steps to secure the personal information it holds from misuse, interference or loss, as well as unauthorised access, modification or disclosure. As the APPs are not prescriptive, it is up to entities to consider what steps may be reasonable for their needs and business models. Entities may wish to refer to the OAIC’s Guide to securing personal information: oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information, which contains information on the steps entities can take as part of their obligations under APP 11. In addition, the Australian Cyber Security Centre has published some general advice that might help you resolve this question. See: cyber.gov.au/publications/security-tips-personal-devices and cyber.gov.au/publications/small-business-cyber-security-guide
Q: You mentioned the security of e-mail In Boxes where personal data is stored there (and who doesn’t do that?). You mentioned steps should be taken to secure the In Box. Could you please provide some examples of these steps, or what would be considered ‘best practice’ to secure In Boxes?
A: An issue with the use of email inboxes/subfolders as a primary storage location is that people who gain access to the mailbox gain access to the information stored within it. Given the frequency of email phishing attacks that result in unauthorised access by malicious third parties to email accounts (and the associated access credentials), entities may consider moving sensitive or personal information out of email accounts and into more secure locations where additional protections and access controls can be put in place. Additionally, once this information is copied from the email account to a more secure/access-controlled location, entities should consider deleting the relevant emails from the account and emptying the trash folder. Further information about passwords and security measures can be found in the chapter on Access Security in the OAIC’s Guide to securing personal information: oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information
Q: It is my understanding that maximum penalties for privacy breaches are likely to increase to $10 million.
A: Yes, the maximum penalty is currently $2.1 million, but for small businesses with an annual turnover of $3 million or more, penalties will increase to the greatest of: $10 million, or three times the value of any benefit obtained through the misuse of information, or 10% of a company’s annual domestic turnover.