Preventing

data breaches
Presented by:
Greg Lewis, Board Member, Tax Practitioners Board
Connor Dilleen, Director, Office of the Australian Information Commissioner
Technical guidance

Click this icon on the top right

of your screen to join the chat

Click this icon for technical support

• Call Redback Support for technical problems: 1800 733 416.

• We’ll provide a copy of the presentation and some helpful links after the webinar.

• You can claim CPE/CPD for attending this webinar. We don’t issue attendance
certificates.

2
What we will cover today

• What is a cyber-attack • What to do in the event of a breach

• Your obligations • Where to get help

• Notifiable Data Breaches scheme • Questions

• Sufficient controls

3
Meet your presenters

Connor Dilleen Greg Lewis

Director Board Member
OAIC TPB
4
What is a cyber-attack
Types of cyber-crime

Common types of cyber crime include:

• hacking

• online scams and fraud

• identity theft

• attacks on computer systems

• email spam and phishing

• illegal or prohibited online content.

6
First party losses from a cyber-attack

First party losses can include:

• business interruption losses

• the costs of repairing and restoring systems, or improving cyber security

• reputational damage

• extortion costs.

7
Third party losses from a cyber attack

Third party losses can include:

• liability in negligence for failing to properly protect client information

• fines imposed by regulators.

8
Tax practitioner obligations
Code item 6

Code Item 6 - You must not disclose any information relating to a client’s affairs to a
third party unless you have:

• obtained the client’s permission; or

• there is a legal duty to do so.

10
Code item 7

• Code item 7 - You must ensure that a tax practitioner service that you provide, or
that is provided on your behalf, is provided competently.

• Sanctions for breaches of the Code can range from a written caution to
termination of registration.

11
Consequences for failing to comply

Written Order Suspension Termination

caution

12
Notifiable Data Breaches
scheme
Notifiable Data Breaches scheme

Organisations covered by the Privacy Act are

legally required to quickly assess actual or
suspected data breaches

If serious harm is likely to result, they must

notify affected individuals

They must also notify the OAIC

14
Notifiable Data Breaches framework

The Notifiable Data Breaches scheme is intended to:

• provide a safer and more transparent environment

• improve compliance with privacy obligations

• provide entities with a framework for responding to data breaches

• provide an evidence base that can inform both government policy

and industry practice.

15
What is an eligible data breach

Three criteria must be satisfied before a data breach is

considered ‘eligible’:
There is no strict
1. unauthorised access to or unauthorised disclosure definition of serious harm.
of personal information, or a loss of personal It may include serious
information has occurred physical, psychological,
emotional, financial or
2. the breach is likely to result in serious harm* to reputational harm
one or more individuals

3. the entity has not been able to prevent the

likely risk of serious harm with remedial action.

16
Trends in NDB notifications
The OAIC regularly publishes statistics
Number of notifications received by month
about notifications received under the
NDB scheme to help organisations and
the public understand the operation of
the scheme.

Source: NDB Report July-December 2020

17
Top reporting industry sectors
Health and finance have Source of data breaches – Top 5 industry sectors
been the top two sectors to 80
70
notify data breaches since 70
the scheme began. 60 53
51
50
40
27 29
30 25
22
20 13 11
10 5
2 2 0 2 2
0
Health service Finance Education Legal, Australian
providers accounting & Government
management
services

Malicious or criminal attack Human error System fault

Source: NDB Report July-December 2020 18

Malicious or criminal attacks

Malicious and criminal attacks are the leading Source of notifiable data breaches
source of data breaches reported to the OAIC.
System fault
5%
The majority of breaches in this category
involve cyber security incidents such as
phishing, compromised or stolen credentials
and ransomware.
Human error
38% Malicious or
This category also includes: criminal attack
58%
- social engineering/impersonation

- rogue employee/insider threat

- theft of paperwork or data storage device.

Source: NDB Report July-December 2020

19
Deep dive – malicious or criminal attacks
Breaches resulting from malicious or criminal attacks – All sectors
250
218 212
200

150

100
48
50 34 35 29
23 23

0
Cyber incident Social engineering/ Rogue employee/ Theft of paperwork
impersonation insider threat or data storage
device
January-June 2020 July-December 2020

Source: NDB Report July-December 2020 20

Deep dive – cyber attacks
Cyber incident breakdown – All sectors
Malware Other
7% 3%
Brute-force attack
(compromised Phishing
credentials) (compromised
8% credentials)
25%

Hacking
14%

Compromised or
stolen credentials
Ransomware (method unknown)
17% 25%

Source: NDB Report July-December 2020 21

Emerging themes and challenges

Critical
compliance
questions
Assessment
Notification

The threat
The key
environment
question of
Managing the Evolving
serious harm
human factor technical threats
Growth of data
on the dark web

22
Sufficient controls
Data breach preparation and response

Train employees on secure

information handling practices

Be accountable and Understand your personal

transparent information holdings

Prepare and rehearse for responding Introduce preventative

to a data breach technologies and processes

24
Managing the information lifecycle
Do we need to collect the information? Are we storing and protecting the information
appropriately?
Are we collecting the information in the correct
manner? Do we know where sensitive information is stored?
Can we limit the attack surface for malicious Do we have additional technical security measures
actors by limiting the amount or type of data in place for highly sensitive information?
we collect?
Storage/ Is access logging/auditing enabled?
Collection
security Do we use managed service providers?
Do these MSPs hold data on our behalf?
Have we vetted their infrastructure?

Do we have a plan for the disposal of Do we need to retain the information?

information when we no longer need it? Disposal Retention
How long do we need to retain it?
What are the thresholds?
Do we periodically audit our information
Does this plan take into account information holdings?
held on our behalf by managed service
providers? Who is responsible for decisions
on data retention?

25
Professional indemnity insurance

• One of your responsibilities under the Code is to maintain PI insurance that meets
our requirements.

• The TPB does not recommend specific policies.

• Assess the risk of a cyber attack and consider if you need to take out additional
professional indemnity insurance cover to assist with first party losses.

26
PI insurance: example

• A company had a $2 million turnover and 8 employees.

• Their server and client records were locked by ransomware software.

• The company had the files released after paying a ransom of $50,000 to hackers.

• Their insurance company paid them $150,000 to cover the loss of income, the
ransom demand, consultant costs, and costs to restore the network.

27
Continuing professional education

• You can undertake cyber security awareness training via an online course, a webinar
or through professional or technical reading.

• We will recognise cyber security awareness training as relevant CPE.

• CPE activities should be provided by persons or organisations with suitable

qualifications and/or practical experience in the relevant subject area.

28
What to do in the event of a
breach
Responding to a data breach

Generally, the actions taken following a data breach should follow four key steps:
1. Contain the data breach to prevent any further compromise of personal information.
2. Assess the data breach by gathering the facts and evaluating the risks, including
potential harm to affected individuals and, where possible, taking action to
remediate any risk of harm.
3. Notify individuals and the OAIC if required. If the breach is an ‘eligible data breach’
under the NDB scheme, it may be mandatory for the entity to notify.
4. Review the incident and consider what actions can be taken to prevent future
breaches.

30
What to do in the event of a data breach

If you have experienced a breach, you should:

• contact the ATO

• advise any of your affected clients

• contact your software provider

• take steps to secure your information.

31
Where to get help
Where to get help

• In the event of a data breach, contact the ATO on 1800 467 033

• TPB website tpb.gov.au/protect-your-practice

• Subscribe to TPB eNews at tpb.gov.au/newsroom

• ATO website ato.gov.au/tpnews

• OAIC website at oaic.gov.au

33
OAIC resources and materials

oaic.gov.au/privacy/guidance-and-advice

cyber.gov.au/acsc/view-all-content/publications
34
Questions
 Stay in touch with OAIC

oaic.gov.au facebook.com/OAICgov

oaic.gov.au/contact-us twitter.com/OAICgov

1300 363 992 youtube.com/user/OAICgov

(Mon-Thu 10am-4pm AEST)

linkedin.com/company/office-of-the-australian-
information-commissioner

oaic.gov.au/sign-up
 Privacy Awareness Week
Privacy Awareness Week is an annual initiative run by
the OAIC as part of a joint effort with state and
territory privacy regulators and members of the Asia
Pacific Privacy Authorities forum.
The Privacy Awareness Week 2021 theme is:

Make privacy a priority

Businesses and government agencies are encouraged
to keep personal information safe by building in
privacy protections from the start of a new project,
training staff to be privacy aware and taking steps to
prevent data breaches.

3 - 9 MAY 2021 | oaic.gov.au/paw

 Stay in touch with the TPB

tpb.gov.au facebook.com/TPB.gov

tpb.gov.au/contact linkedin.com/tax-practitioners-board

1300 362 829 twitter.com/TPB_gov_au

(Mon-Fri 9am-5pm AEDT)

youtube.com/TPBgov