“We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us.”
— Tim Cook
In deference to Privacy Awareness week (3-9 May 2021) and the focus the Office of the Australian Information Commissioner (OAIC) has taken for this years’ privacy event:
‘The protection of personal information and safeguarding data’.
We wanted to focus this article on the role of the Compliance Officer and the convergence of what used to be two quite distinct and separate roles and departments, the IT department, and the Compliance department. Increasingly Compliance Officers are required to:
- assess risk in relation to data, systems, and processes.
- assess data breaches and determine if a harm has occurred and whether it needs to be reported and to which regulator (that’s right plural!).
- provide advice regarding outsourced contracts in relation to data, security, restoration etc.
The role of the Compliance Officer in relation to security and data, has significantly changed and expanded.
Privacy & Security
It is worthwhile distinguishing between privacy and security in the first instance.
In the case of security, we are talking about safeguarding data and systems from unauthorised access.
Privacy is about safeguarding information tied to personal identity. It is a licensee condition that you safeguard data, systems and particularly data that is tied to personal identity.
As we have seen in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd (CAN 001 774 125) case, ASIC are pursuing RI Advice for breaching their obligation to implement adequate cyber security systems, stating that RI Advice was required to establish and maintain compliance measures that ensure, as far as is reasonably practicable, that RI Advice complies with s912A(1)(d) to have adequate resources (including financial, technological, and human resources) to provide the financial services covered by the Licence and to carry out supervisory arrangements and s912A(1)(h), to have adequate risk management systems.
ASIC suggests that RI Advice, as part of their licence conditions, were required to identify the risks that it and its ARs faced in the course of providing financial services on RI Advice’s behalf, including in relation to cyber security and cyber resilience.
ASIC set out in their Statement of Claim that RI Advice should have had in place in order to meet the minimum cybersecurity requirements, an adequate address of the following 13 cybersecurity domains:
- Governance and business environment;
- Risk assessments and risk management;
- Asset management;
- Supply chain risk management;
- Access management;
- Personal security, training, and awareness;
- Data security;
- Secure system development life cycle and change management;
- Baseline operational security;
- Security continuous monitoring;
- Vulnerability management;
- Incident response and communications; and
- Continuity and recovery planning.
This case is an illustration of the expectation placed on the Compliance Officer in supporting their licensee in the management of security and data.
Technology & Compliance
As a compliance officer, your terms of reference has undergone a major transformation over the last couple of years, where you have increasingly had to deal with the new world of economic meltdowns, pandemics, crisis of conduct and culture, an emphasis on integrity and ethics and managing data vulnerabilities because of continual and relentless cyberattacks.
When dealing with cybersecurity and cyber resilience, you need to be able to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source.
The need to protect a clients’ data requires a compliance officer to be agile, due to the evolving landscape driven by emerging technologies and malicious actors becoming more sophisticated. In addition, the pandemic has forced us into a virtual world of doing business, which brings with it cyber considerations and complications.
The relationship between information security (including cyber security) and privacy is codified in the Privacy Act, particularly through the Australian Principle 11 (APP 11), which requires all entities covered by the Privacy Act to take reasonable steps to protect personal information that they hold from misuse, interference, and loss, and from unauthorised access, modification, or disclosure.
Cyber security is recognised as a necessary privacy protection and key consideration for entities taking ‘reasonable steps’ under APP 11.
As a compliance officer you need to reassess the compliance and conduct risks inherent in technology and threats to cyber security.
You need to be familiar with what you will need in your outsourced arrangements to ensure:
- you have proper recourse in the event of a security incident;
- careful drafting in relation to indemnity rights and carve-outs from limitation of liability;
- the outsourced provider has appropriate cyber liability insurance and the limits on such coverage;
- the contract does not give the outsourced provider the right to lock you out of access to your data; and
- your outsourced provider indemnifies you and that they will cooperate with any pending litigation or investigation.
During some of our past Licensee Reviews we have seen businesses potentially exposed because contracts with their outsourced providers were dated and did not contain the necessary clauses to protect their data and business.
In the case of culture and conduct, you will need to work with employees to remind them of their obligations as custodians of data, and the critical role in safeguarding your IT infrastructure.
No easy job, considering the majority of cyberattacks are enabled by humans with phishing and spear-phishing remaining the most common methods used by cyber adversaries to harvest personal information or user credentials to gain access to networks, or to distribute malicious content.
If you would like to re-charge your security and privacy batteries, why not join us during Privacy Week.
It takes a village to manage our respective companies’ compliance obligations, so join our compliance tribe and learn from the wisdom of crowds.