Historically, businesses have kept documents to 'be on the safe side'. But, as we now see in the wake of last year's
High-profile data breaches
While investigations are ongoing into the
-
In 2018, the
- In 2019, Australian unicorn,
Canva , suffered a data breach impacting 137 million of its users, including usernames, names, email addresses, passwords, and payment data. - In 2020, 47
Service NSW staff email accounts were hacked through a series of phishing attacks, leading to 5 million documents being accessed, 10 percent of which contained sensitive data impacting 104,000 people. - In 2021, Tasmanian Ambulance communications network was hacked, and every person requesting an ambulance between
November 2020 andJanuary 2021 had personal information posted online, including HIV status, gender, age and address of the emergency incident. - credit assistance providers collect information about consumers' requirements and objectives and financial situations, which may include credit reports, bank statements, loan statements, payslips, tax returns, etc.
- non-bank lenders collect information about the corporate customer - known as KYC - including information identifying beneficial ownership and control structure of corporate entities, which may include identification documents such as the results of online person searches, passport, driver's license, etc.
- increased penalties under the Privacy Act for serious or repeated interferences with privacy, which for a company will by the greater of
$50 million , 3 times the benefit obtained from the breach or 30% of the company's revenue during the period - expanded enforcement powers for the
Office of the Australian Information Commissioner , including infringement notices and post determination orders for independent advice and publication relating to the breach conduct - greater information gathering and sharing powers for the OAIC and the
Australian Communications and Media Authority , including sharing information with other authorities and for the OAIC publishing information in the public interest - strengthened Notifiable Data Breaches scheme permitting the OIAC to request information and documents about actual or suspected eligible data breaches for compliance assessments
- Retain financial records under the National Credit Act for 7 years5
- Retain records relating to the provision of designated services (i.e. lending) under the Anti-Money Laundering & Counter Terrorism Financing Act for 7 years, starting the day after the record was created6
- Retain documents that are, or reasonably likely to be, required in evidence in a legal proceeding under the Crimes Act (
Victoria ) for an unlimited time7 - Know what information you need to collect, how to keep it secure and when it can be destroyed
- Audit and schedule destruction dates for information you already have
- Update your Policies & Procedures
- Ensure you have adequate resourcing to manage information
- Prepare for, protect against, respond to & recover from cyber incidents
These events underscore the urgency of assessing the vulnerability of our information management systems and our privacy and data breach procedures
The World Wide Web: Convenience & Insecurity
The World Wide Web is the single most important platform for doing business in modern times. It was invented in 1989 by an English scientist as a catalogue for scientists in different locations around the world to easily find and view data. At that time, the Web was not seen or used as a place to store personal information, but as a platform designed for openness and flexibility. Accordingly, security concerns were minimal.
Fast forward three decades to a time when we all carry our own personal computers connected to the World Wide Web on which we do everything from verifying our identity to paying our bills to making real time investments. Understanding cybersecurity is therefore critical to business' risk management approach and regulatory compliance. While we need not be experts, we do need to know how to keep our clients' information safe to comply with our legal obligations.
Regulatory spotlight: Privacy & Cybersecurity
Information that is required to be collected and retained by licensees in the provision of financial and credit services encompasses 'personal information' as defined under the Privacy Act1.
'Personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
For example:
-
financial service licensees giving personal advice to retail clients collect information about objectives, financial situation and needs of the client, which may include questionnaires about salary, investments and health, superannuation statements, tax returns, etc.
So, as well as having obligations under the financial and credit services regimes in relation to information collection and retention, licensees owe separate and additional obligations under the Privacy Act.
Privacy reform
Recent privacy reforms were fast-tracked in response to the
The recent privacy reforms include:
-
extended territorial reach of the Privacy Act to Australians' data even when used by foreign companies
Prioritising cybersecurity
Alongside its commitment to privacy reform, the federal government has since 2017 allocated cyber security to a ministry and created a single point of advice and support on cyber security, the
"Focus on the impacts of technology in financial markets and services, drive good cyber-risk and operational resilience practices, and act to address digitally enabled misconduct, including scams".
In its recent case against RI Advice,3 ASIC alleged breaches of section 912A(1) of the Corporations Act regarding the licensee's failure to have and implement policies, procedures, resources and controls which were reasonably appropriate to adequately manage cybersecurity and resilience risk.
RI Advice engaged more than 100 authorised representatives, among whom there were 9 incidents of cyber attacks over a period of 6 years. The incidents included hacking of emails, ransomware and phishing attacks, which led to the loss of personal information, client funds and customer trust. These incidents became known to the licensee, which it investigated but failed to address in a timely manner. RI Advice admitted the breaches and was ordered to engage a cybersecurity expert to identify and implement further cybersecurity measures across its network and to pay
Cleaning house: Information collection, retention and destruction
To minimise the risk of licensee obligation and data breaches, limiting the data you hold to that which is necessary is a good place to start. This may require an audit of the information you already hold and information that you collect in future to inform you as to which information you may be able to destroy. This process will involve consideration of the type of information and the reasons for which you collected it. This is because licensees are bound by several different obligations in relation to the retention of information.
For example, in circumstances where a credit assistance provider collects information to assess the unsuitability of a home loan for a Victorian consumer, they must:
-
Retain 'credit information' relating to 'consumer credit liability information' under the Privacy Act for 2 years, starting on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force4
This example illustrates the complexity that can attach to the management of information. The recent data breaches and regulatory focus, however, show us the dangers of compliance complacency and the importance of knowing what information you have, why you collect it, how to keep it safe and when you can destroy it.
Tips
Footnotes
1 Section 6 of the Privacy Act 1988 (Cth).
2 The
3
4 Section 20W of the Privacy Act 1988 (Cth)
5 Section 95 of the National Consumer Credit Protection Act 2009 (Cth)
6 Section 106 of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth)
7 Section 254 of the Crimes Act 1958 (Vic)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
22/
3000
Tel: 39670 8200
Fax: 39670 5499
E-mail: law@hnlaw.com.au
URL: www.hnlaw.com.au
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source