Best Practices for Accounting Firms Navigating Australia’s Notifiable Data Breaches Scheme
It’s been a little over a year since the Notifiable Data Breaches scheme (NDB) was put into effect to regulate the notification and reporting of data breaches to both affected individuals and the Office of Australian Information Commissioner (OAIC).
Many accountants and tax practioners are still grappling with the new privacy law that went info effect on 22 February 2018 and what it means for their technology security and data handling practices.
GKM2 provides proactive IT support for accountants and we’ve seen many upgrading their technology security over the past 12 months as a result of the new data privacy regulations, not just the NDB but also the EU’s General Data Protection Regulation (GDPR).
When it comes to those in the financial industries, their data is of particular interest to cybercriminals because it often contains sensitive financial information and details that can be used for identity theft.
The financial sector reported 3 times as many breaches during the first 8 months of 2018 as compared to two years prior.
If you’ve been wondering if your Australian accounting and tax firm has been doing enough to protect against a data breach, read on for NDB requirements explained and our recommended best practices to follow to stay safe.
What Does the Notifiable Data Breaches Scheme Require of Accountants?
The NDB is connected to the Australian Privacy Act 1988 and all agencies or organisations regulated under that act are also required to notify both individuals and the OAIC when a data breach is likely to cause serious harm to individuals that have had their personal information exposed in a breach.
Who Needs to Comply with NDB?
- Entities already covered by the Privacy Act, known as APP entities
- Entities with an annual turnover of $3 million or more
- Entities that trade in personal information
- Credit providers
- Credit reporting bodies, health service providers, tax file number (TFN) recipients, among others
Who is Exempt from NDB?
- Entities not required to comply with the Privacy Act
- Certain private sector employers
- A small business operator with less than $3 million in annual turnover (unless an exemption applies, such as them being related to an APP entity)
Accounting firms typically handle sensitive data, including TFNs which would require compliance under the Notifiable Data Breaches scheme.
What is Required for NDB Compliance?
You’re required to notify both the impacted individuals or organizations and the Office of Australian Information Commissioner when a data breach occurs and information is lost or subject to unauthorised access.
Failure to comply with the NDB scheme can mean fines up to $2.1 million.
Some examples given by the OAIC of what constitutes a reportable data breach are:
- If a device containing the personal data of your customers is lost or stolen
- If your network is hacked and a database containing personal information is accessed
- If the personal information of a customer is accidentally disclosed to the wrong party
Best Practices to Help Your Accounting Firm Stay in NDB Compliance
Following these best practices can help you get a handle on NDB compliance and avoid a data breach.
Consider Protection Throughout Information Lifecycle
When handling personal information, you want to look at all stages of the lifecycle and evaluate protections from the moment the data is collected until it is destroyed. The OAIC describes the five lifecycle steps as follows:
- Considering whether collection of personal data is necessary
- Embedding privacy protections into design of information handling practices
- Assessing risks that come with collection of personal information
- Taking steps to put protection strategies into place
- Destruction of personal information when it’s no longer needed
Secure Login Credentials
Weak passwords are one of the main ways that hackers can gain access to your company’s personal information or a database filled with customer files. Teach your employees strong password practices or institute the use of a password management program that automatically generates unique, strong passwords for every login.
To add another layer of credential security, enable multi-factor authentication on any logins that access programs with sensitive information.
Have an IT Security Assessment Performed
Is your firewall and anti-virus software up to date and providing the proper protection to your network? Do you have safeguards against email phishing attacks?
A security assessment by a trained IT firm can provide you with vital information about your IT security health and identify any vulnerable areas to ensure your basic cybersecurity infrastructure is as strong as it needs to be to avoid data breaches.
Create a Data Breach Checklist
In the event of a data breach, you want to react to the situation as fast as possible rather than panic and having a checklist to refer to with the proper steps to take in the order to take them can help you minimize damages.
Include in the checklist the notification requirements of NDB, so you’ll be sure to be in compliance with the regulation and won’t miss any steps.
Use Mobile Device Management Software
Data is increasingly being access via mobile devices like smartphones and tablets and this can leave a gap in security protocols if those devices aren’t kept in check.
If any personal data is accessed by mobile devices, it’s a good idea to use a mobile device management software which will allow you to lock out lost or stolen devices, plus keep records of data access from mobile applications to ensure security protocols are being followed.
Keep Your Network Secure with Remote Monitoring
GKM2 can make IT security for your accounting firm easier by providing a number of support services, such as continual remote monitoring of your network. We proactively watch for any threats to ensure your data stays secure.
Contact us today to learn more about our IT security services at 1800 934 204 or +61 2 9161 7171 or reach out online.