“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
— David Brin
In previous articles we’ve discussed risks, regulatory expectations and the consequences of complacency when dealing with privacy and data security issues.
It’s tempting for advisers and licensees to dismiss these as institutional responsibilities, but if you needed a counter-argument, consider ASIC’s decision to commence proceedings against RI Advice Group Pty Ltd (RI) for failing to have adequate cyber security systems.
In this article we wanted to do more than simply reiterate our position. We want to highlight, and discuss, another relevant case heard by a different but related regulator.
Most of us are prepared for the possibility of fines and censure for privacy breaches, but, the Information Commissioner of the Office of the Australian Information Commissioner (OAIC), recently awarded complainants compensation for a non-economic loss.
Granted this case related to a government department, The Department of Home Affairs, which had been found to have interfered with the privacy of 9.258 detainees in immigration detention. They mistakenly released the personal information of the detainees via a spreadsheet on their public website.
The information released included
- full names,
- dates of birth,
- period of immigration detention,
- boat arrival details and
- reasons why the individuals had been considered an unlawful citizen.
It’s significantly more detailed personally identifiable information than is held by most advisers and licensees, and the failure was compounded by the Department’s failure to quickly identify and remediate the breach; the information was available publicly for approximately sixteen days.
The Commissioner ordered the department pay compensation for non-economic loss to those participating class members who have demonstrated that they suffered loss or damage as a result of the data breach, under five categories of loss or damage, depending on the severity of the impact.
We’ve previously written several articles about your obligations under the Notifiable Data Breach Scheme (NDBS) and we thought we would highlight the key points:
- It’s important to understand that you are not obliged to report to the OIAC all breaches, but you are required to report all eligible data breaches;
- An assessment of serious harm requires an objective and reasonable assessment made from your perspective. It does not require you to make a subjective assessment of the likely harm based on the affected individual’s relevant personal circumstances. Act reasonably and prudently but appreciate the broader implications of the breach and your reaction;
- You don’t need to report data breaches that you have quickly remediated or have started to remediate. We have addressed effective remediation previously and we remind you that effective remediation needs to be reasonable, prompt, effective and appropriate. Your remediation and consequence management policy should provide you with the framework and guidance you need to satisfy this requirement but contact us if you need assistance; and
- The requirement to consider the impact and likely consequences of a data breach – serious harm – introduce a materiality assessment that is both clear and intuitive.
Financial Data Management
“Cyber risk has been a ‘known known’ for well over 20 years. But in today’s world of ubiquitous software usage, it’s now a vulnerability and an exposure that has exponentially escalated.”
— ASIC Deputy Chair, Karen Chester
While we’ve focused on the OAIC, we’ve also highlighted the increasing importance for Licensees to commit adequate resources and to record keeping and risk management because these are at the heart of a Licensee’s obligations to provide financial services efficiently, honestly, and fairly.
Think of it as a core obligation and a significant duty.
We have yet to see a determination from the RI case, however in a speech delivered on 10 March 2021 by the ASIC Deputy Chair, Karen Chester to the AFR Business Summit, cyber risk was called out as one of the harms in ASIC’s crosshairs.
ASIC’s forward looking agenda includes raising awareness of cyber resilience for entities; helping regulated entities get prepared for self-assessments and taking decisive, deterrence-based enforcement action.
ASIC referred to RI as being the first action taken by ASIC against a licensee in respect of cyber security and cyber resilience; but it won’t be the last.
We’ve been remarkably consistent on this topic and have published a number of articles addressing your risks and liabilities in respect of privacy, data security and record keeping. It’s a core responsibility of both licensees and advisers and, regardless of your perceived risk and the nature, scale, and complexity of your business, you should:
- Implement preventative, interrogative and remedial processes to address cybersecurity risks;
- Take the time to review, and consider, the NIST Cybersecurity Framework, the standards, guidelines and best practices designed to help you manage cybersecurity risk;
- Undertake an audit of the technology infrastructure underpinning your AFSL; and
- Engage an external expert to test your IT security.
Both privacy and data security should be key elements of your compliance framework, especially considering the application of the new breach regime.
If you are worried about your obligations and risks, or just want help better operationalising them, give us a call, or after reviewing our May Privacy Week schedule of activities, register for one or more of our privacy/cyber security webinars.