Has your accounting firm ever been hacked and lost information? If it happens again – and your revenue is $3 million or more – you may need to call your clients to let them know.
Earlier this year the Australian senate passed a law mandating that businesses tell customers if a cyberattack has gained access to data. This follows in the footsteps of similar US and European laws. The message for accountants is that you need to take the security of your customers’ data very seriously.
Disclosing that your firm has been hacked is embarrassing and costly as existing and potential customers can go elsewhere. It also damages accountants’ reputations as custodians of their clients’ financial secrets.
Firms which make more than $3 million a year that lose client data may need to notify the Privacy Commissioner immediately and contact clients within 30 days. Failure to notify can result in fines of $360,000 for individuals and $1.8 million for organisations.
The legislation considers a breach as serious when there is unauthorised access to, disclosure or loss of customer information which could result in serious harm to the individuals involved.
Customer information includes personal details, credit reporting, credit eligibility and tax file number information.
The law requires a company to disclose a data breach if:
- There is an unauthorised access to, disclosure of, or loss of, personal information.
- A reasonable person would conclude that the access or disclosure would likely result in serious harm to the individual to whom the information relates.
How does the law affect accounting firms?
Accounting firms are a treasure trove of information. Accountants collect all sorts of sensitive information such as tax file numbers, salary and health insurance details.
It is particularly important that firms assess the potential risks to unauthorised access, disclosure or loss of personal information. A firm needs to decide if the access or disclosure of that data is likely to result in serious harm to an individual. If so, then the firm will need to report it.
A number of factors can determine whether unauthorised access or disclosure of information is likely to cause serious harm. These include:
- The type and sensitivity of the information
- Whether the information was encrypted at the time of access or disclosure or protected in some other way
- Who has had, has, or could obtain access to the information
- Who obtained or could obtain the knowledge required to gain unauthorised access to the information
- The nature of the harm and whether an individual’s identity could be stolen. Could insurance premiums be increased? Could a person become a victim of violence?
The longer a firm waits to report a breach the greater the risk to clients. Not only to the individuals, as they cannot take action to protect themselves if they are unaware of the breach, but also to the firm’s reputation. Penalties can be up to $1.8 million.
Let’s take two scenarios.
Scenario 1: A breach is reported and investigated immediately
A USB stick containing a file with name, addresses and tax file numbers goes missing. The practitioner reports this to their firm. An investigation is conducted and it is determined the USB stick was encrypted. There is no way anyone could access the information in the file. The firm makes a call that there is no risk of harm to any of the individuals and hence chooses not to report the breach.
Scenario 2: A breach is reported two weeks after it was identified
A USB stick containing a file with names, addresses and tax file numbers goes missing. The practitioner is scared to report this as he or she is worried about the consequences. Two weeks later a member of the public finds the USB stick, checks the contents and notices that the details could be serious. She notices that the file properties of the file indicated it came from accounting firm X.
The citizen returns the USB to accounting firm X. An investigation determines that the USB was not encrypted and it is not possible to know who may have had access to the information. Further, the information on the USB could lead to criminals targeting individuals with identity theft or false tax charges. Accounting firm X makes a decision to notify the Office of the Australian Information Commissioner and the individuals whose details were in the Excel file.
What do these scenarios tell us?
The scenarios are not unique to accounting firms. When staff identify and report breaches to management earlier, the sooner an investigation can find out who it has affected. And therefore it is easier to negate any threats to the individuals involved.
The biggest threat to any organisation are its people. In particular, staff who are unable to recognise a potential data breach. So what do accounting firms need to do to prepare?
- Review breach response plans and ensure they are up to date to manage new reporting requirements
- Educate staff members in the definition of personal information
- Educate staff members in data breaches and how to report them
- Create a culture of reporting breaches – no matter how small
What if an accounting firm suffers a ransomware attack?
Ransomware attacks are increasingly common. CryptoLocker and now WannaCry don’t give hackers access to a firm’s data; they block the firm’s access to that data instead. There is no unauthorised access, disclosure or loss of data, and hence no need to assess the likelihood of serious harm. This means that a WannaCry-like ransomware attack would not be an eligible data breach for reporting.
Accounting firms carry a large risk exposure due to the volume and sensitivity of the information held. These type of cyber-attacks – although there is no requirement to report it as a data breach – can stop the firm from functioning.
Cyberattacks, whether data breaches or otherwise, are a serious strategic issue for any business. Firms will require constant vigilance to minimise risk, build resilience and maintain security.
Image credit: 10and5