There is no worse feeling for an accounting firm than realising there has been a data breach. A notification pops up disclosing that your client’s private data may be in danger because of a hack. Without a plan, or a trusted IT partner, this can be a costly, devastating mistake for both the firm and your customers.
Over 50,000 Australians felt this sense of dread during the nation's biggest data breach in 2017 due to a misconfigured Amazon S3 bucket, a cloud storage where employees can store and retrieve data from websites and mobile apps. The breach contained emails, locations, passwords, and IDs of staff from government agency to organisations - causing unprecedented damage and concern. A 2017 study conducted by IBM found the average total cost of a data breach was approximately $2.51 million, and the cost per compromised record was an average of $139.
Since this occurrence, there have been rumblings in the legislature to ensure that companies storing customer data are made more responsible for the security of this data. On February 22nd 2018 Australia will introduce Mandatory Data Breach Reporting laws following the lead of other countries such as the US, Canada, New Zealand, and the European Union. Even the smallest data breaches may need to be reported by law. Non-compliance can lead to fines of up to $360,000 for individuals and $1.8 million for organisations.
The 2017 data breach, as well as media coverage of this new legislation, has made consumers increasingly aware of just how important data security measures are when selecting businesses to share their private information.
As accounting firms store highly sensitive information such as financials and tax file numbers, security and privacy are key factors for clients when deciding to work with you or your competitor.
In this article, we will make clear what is happening with the law, how your IT partner can help you manage this change, as well as fully understand what responsibilities are held by both sides.
What is this new law?
The official name of this law is the Notifiable Data Breaches (NDB) scheme and it forms part of the Australian Privacy Principles (APPs) in the Privacy Act that regulate how organisations collect, store, manage, and disclose personal information in Australia.
The NDB scheme impacts any organisations with existing obligations under the Privacy Act. This includes businesses and not-for-profit organisations with an annual turnover of $3 million or more and TFN recipients.
This scheme “establishes requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.”
This definition, pulled from the office of the Australian Information Commissioner (OAIC), might seem intimidating. Essentially the goal of this law is to protect an individual’s data. Its intention is that if an individual entrusts an organisation with their sensitive data, they must be informed if the data subsequently enters into the hands of a third party.
What needs to be reported?
First, we need to ask what exactly OAIC is referring to when they say “serious harm” from their definition above.
Organisations are required to determine for themselves what constitutes serious harm by considering a variety of elements about their customers’ personal information, including what exactly has been compromised, who's acquired (or could acquire) the sensitive data and the potential aftermath of the breach. Exposed credit card information or health records, for example, could both be considered as causing “serious harm”.
Second, what is considered personal information? Here are a few examples provided by The Privacy Act:
- Sensitive information, such as information about an individual’s health
- Documents commonly used to identify fraud
- Financial information
- A combination of types of personal information that reveals individuals’ privacy
With these examples in mind, here are the three criteria needed to be met in order for a data breach to be reported:
- There is unauthorised access to, disclosure of or loss of personal information.
- The impact of this is likely to result in serious harm to one or more individuals.
- Remedial actions have been unable to prevent the likely serious harm
Here is an example of how all of these would look like for an accounting firm.
An accounting firm will typically have ID numbers, tax file numbers and other sensitive financial data which meets the Privacy Act's definition of personal information. The information is also likely to cause serious harm if it is compromised. The new law provides individuals the right to know when their data has been compromised.
In the past, if a company lost a batch of credit card numbers, for example, it might have been swept under the carpet. With this specific addition to the Privacy Act, firms are now required to inform customers of lost credit card info or any other similar event. The new law ensures the affected individuals are advised and to take appropriate steps to prevent further damage, such as in this example changing their credit card details.
Additionally, firms shouldn't look at this law and think only hacking. Hacking is an example of data breach at a very severe level. As described above, it could be a simple act of putting files on a USB drive and leaving it in a taxi.
What if my customer data is managed by an external IT provider?
An IT provider should already have a strong security focus and its solutions and processes are created to minimise the risk of a data breach. With an IT partner who understands the accounting space, this law can in fact increase your firm’s value to your clients by showing them that data security is one of your top priorities.
When working with your external IT provider, there are two main components that you have to keep in mind as a result of the new addition to The Privacy Act. These are establishing shared responsibilities and a documented contingency plan.
1. Shared Responsibilities
When reviewing the requirements of The Privacy Act, what stands out is that reporting is a shared responsibility and a partnership between the IT provider and its clients as the joint custodians of personal information.
For example, If an accounting firm database were compromised, it would be the IT partner's responsibility to communicate immediately and act on resolving the issue and preventing future damage. At the same time, it is accounting firm’s responsibility to report any day-to-day incidents such as sending an email to the wrong person or misplacement of hardware. Once your IT partner receives the communication, they should immediately take over the matter and help guide you through the process.
If you do work with an IT partner, communicate with them to understand and redefine the partnership to address shared responsibilities.
2. A Documented Contingency Plan
The other important topic that your external IT provider needs to address is having a detailed contingency plan. The aim of the plan should be to address the steps that are to be taken at different stages of a breach so that if something happens, there is no confusion. In this way, if there is a data breach, your partner has a robust plan of action that they can revert to.
Understanding Shared Responsibilities and Having a Documented Plan
Taking both of these requirements in mind, at Byte, we have designed a five-step process to ensure any data breach is resolved and reported according to law. Here’s what our approach looks like:
1. Identify. The steps begin with identifying that there's a problem and sharing that problem with your IT provider. To help identify that a data breach may have occurred, here are some examples of a potential data breaches:
- A user shares their login details with another person
- A user emails a confidential data file to the wrong recipient
- An IT system is accessed by an unauthorised external entity
- IT provider provides access to a customer’s files to a second customer
Regardless of whether the source of the potential data breach is from your IT provider or your company it needs to be communicated between both parties so that a coordinated response can be formed throughout the remaining steps.
For example, ABC Accounting is a Byte client. One of their employees doing work within their virtual desktop at an airport kiosk forgets to log off. The employee notifies their internal IT manager who then notifies the Byte service desk.
2. Contain. The second step is for the IT provider and your company to take appropriate action to contain the potential data breach.
For example, Byte finds that the virtual desktop session is still active and force a log off. The employee’s account is then temporarily disabled until they are available for a password reset.
3. Measure. The third step is for the IT provider and your company to measure any potential loss of personal information. Typically, this would consist of your IT provider checking what files/systems were accessed and the client checking the sensitivity of information contained within them. It is then that a decision is made whether the data breach needs to be reported.
For example, Byte find that the Accounting Practice Software (APS) database was accessed prior to the session being logged off. ABC Accounting confirm that the database contains sensitive financial information. Byte and ABC Accounting jointly decide that the data breach will need to be reported.
4. Report. The fourth step is for the customer to report any eligible data breaches. Note that while compliance is a shared responsibility, in all cases it will be your company’s responsibility to report any eligible breaches. This is aligned with the Australian Government recommendation that the entity with the most direct relationship with the individuals at risk are best placed to notify.
For example, ABC Accounting report the data breach to the Australian Information Commissioner and contact their impacted customers.
5. Review. The final step is for the IT provider and your company to review the incident and agree on any process and/or product changes that will minimise future risk.
For example, after reviewing the data breach the following action items are agreed upon. ABC Accounting will conduct internal training to remind employees of their responsibilities in maintaining the security of their environment. Byte will enforce a password protected screensaver so that any sessions left unattended are automatically secured.
As these steps demonstrate choosing an IT partner with a focus on security can significantly reduce your risk of a breach, and increase the quality of your response should a situation occur.
How a cloud based virtual desktop solution can significantly reduce your risk?
Cloud based virtual desktop products, such as Byte’s OneSpace, significantly reduce your risk of a data breach as all your data is kept in a central cloud location.
In a traditional environment data is kept on a file server and then copied onto other devices such as laptops for users to work offline. In this scenario there is very little control over the data and it can move around easily onto laptops and home computers that are often shared between multiple people. This data footprint spread increases the risk of a potential data breach and reduces the likelihood of containing it.
Compare this with a cloud based virtual desktop product. All your data always remains in the cloud environment and is accessed only via virtual desktops. These virtual desktops can be launched from almost any device giving you mobility and flexibility without compromising security. As your data is always within the boundaries of your cloud environment it will always be under the protection of your security appliances and software such as firewalls, antivirus, and intrusion detection. 24/7 monitoring of these devices gives you the confidence that your data is secure.
With this new law, customers are become increasingly aware of a company’s data security. An accounting firm using a cloud solution, such as OneSpace, can offer more security to the customer than a competitor who doesn’t have a cloud based data security solution. And with proper reporting and management, data breaches can be effectively prevented and contained.
We hope this article provides an overview of how together accounting firms and their IT partners can manage the revised Privacy Law. At Byte, we are committed to help you with the new reporting process. If you have any further questions about the compliance, please contact John Tunbridge, OneSpace/APS Private Cloud Architect directly at his email: firstname.lastname@example.org
Byte is the provider of OneSpace which is an IT solution tailored for accounting firms who want to minimise their business downtime, reduce IT maintenance and cost, and provide employees with the flexibility to access accounting software packages and data from anywhere at anytime through a secure and uninterrupted seamless cloud solution.