Data Protection & Privacy
Cyber security, incidents and privacy non‑compliance risks are paramount concerns for the financial services sector, an industry that holds large volumes of personal information dealing with customers' financial affairs.
The need for participants in the financial services sector to build resilience to respond to, and recover from, a significant data breach, or other cyber incident has been put into sharp focus by recent regulatory developments.
Australian companies' protection of their customers' data is coming under increased scrutiny from a range of regulators, not only the Office of the Australian Information Commissioner (OAIC). In August 2020, ASIC commenced proceedings against RI Advice Group Pty Ltd (RI), for failing to have adequate cyber security systems.
The action is only in its early stages with the Court tentatively listing it for trial in late November 2021. However, the claim highlights the importance that companies and their directors and officers should place on having robust cyber security policies and practices in place. It also illustrates that, in the face of a cyber incident, businesses need to consider, and receive advice on, their corporate regulatory obligations more generally not only their privacy obligations.
In Australia, the regulation of personal information at the Commonwealth level is effected through the Privacy Act 1988 (Cth) (Privacy Act). Pursuant to section 13G of the Privacy Act the OAIC may seek a civil penalty order of up to AUD 2.1m in matters involving repeated or serious interference with privacy, although this has been flagged to increase later this year to the greater of $10m and 10% of annual domestic revenue.
To date, OAIC civil penalty proceedings are rare. Further, the protection of the data of corporate customers is not captured in this regulatory framework. However, in the recent penalty proceedings taken by the OAIC against Facebook (resulting from the Cambridge Analytica saga), the OAIC is seeking separate penalties (i.e. up to $2.1m) for each of the approx. 320,000 Australians affected which, if successful, will be a hefty fine, even by global standards.
Data protection and financial services obligations
Those participants in the financial services sector, who hold an Australian financial services licence are also subject to a range of general and specific obligations under Chapter 7 of the Corporations Act. Section 912A (1) of the Corporations Act sets out a range of general obligations and the ASIC action against RI is based on a breach of the following obligations:
A financial services licensee must:
(d) …have available adequate resources (including…technological….resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
(h) …have adequate risk management systems.
Additionally, it is a standard term of Australia Financial Services Licenses that:
The licensee must establish and maintain compliance measures that ensure, as far as is reasonably practicable, that the licensee complies with the provisions of financial services laws.
These provisions have always been broad enough to cover cyber security risks and bring data breaches and other cyber incidents within ASIC's investigatory remit. However, up until the RI action, there seemed to be no appetite for ASIC to take action in this space.
RI is a financial planning and advisory firm and an Australian Financial Services Licensee. ASIC alleges that RI was the target of several cyber incidents between 2016 and 2020. These included:
ASIC alleges that, although, RI did undertake some cyber security initiatives to address the cyber security problems across its AR networks, RI's measures and its responses were inadequate and should have included the following:
ANZ Bank sold RI to IOOF on 1 October 2018. After the change of ownership, RI adopted IOOF's cyber security documentation. However, ASIC alleges that RI did not implement or use these documents correctly. Specifically, it is alleged that:
ASIC alleges that RI breached its AFLS obligations and is seeking orders that RI pay a civil penalty and implement an appropriate cyber security risk management framework.
Under recent amendments to the Corporations Act there has been a significant increase in the penalty regime for breaches of financial services obligations. The maximum civil penalty for companies that are found to be in breach of section 912A obligations is now a fine of the greater of:
ASIC's action demonstrates that it considers robust data security and governance to be a core obligation of all AFSL holders. The case is part of a growing trend globally, which has seen corporate regulators take an increased interest in how companies use and protect their customers' data, including personal information.
The RI action further emphasises that cyber security and cyber resilience and data governance must be a fundamental part of all organisations' risk management practices and frameworks. It needs to be documented and considered at board level. Once policies are set, they need to be implemented and monitored. Organisations face increasing scrutiny to maintain effective data governance practices to mitigate against cyber incidents, including data breaches.
Additionally, in the event of a data breach an AFSL holder needs to consider not just its obligations to notify the OAIC in relation to the affected personal information but also whether it needs to notify ASIC of a potential breach of its AFSL conditions. The obligation to notify will not be trigged by every data breach and will turn of the facts underpinning the incident.
It is also clear from the RI prosecution, that incident response and remediation in the event of a data breach or cyber incident is critical. How an organisation responds to an incident and the remediation steps that are put in place to avoid a repeated breach will proportionally affect the chances of ancillary regulatory action and the level of any fines imposed.
With the announcement of APRA's 2020-2024 Cyber Security Strategy, APRA has heralded a shift in APRA's approach to testing the cyber resilience of the financial sector.
APRA introduced Prudential Standard CPS 234 in July 2019 to ensure that APRA-regulated entities take measures to be resilient against information security incidents (including cyber attacks) by maintaining information security capability commensurate with the criticality of the IT/function and the information security vulnerabilities and threats.
One of the components of CPS 234 is implementation of controls to protect information assets. In particular, where information assets are managed by a third party, APRA-regulated entities must assess the information security capability of that party, commensurate with the consequences or potential impact of an information security incident affecting those assets. Over the last 18 months we have assisted numerous clients reconsider their third party information security relationships.
In its latest strategy, APRA highlights that it only directly supervises 680 participants in the financial services sector. However, there are over 17,000 interconnected financial entities, markets and financial market infrastructure that provides products and services to consumers. APRA has foreshadowed that it will apply a broader set of regulatory tools and techniques to cyber risk, to impose greater accountability on entities in the financial services sector.
APRA's new cyber strategy includes:
The Attorney-General's Department released the Privacy Act Review Issues Paper (Issues Paper) in October 2020. A discussion paper is scheduled to be released in 2021. The review of the Privacy Act follows recommendations made in the ACCC's Digital Platforms Inquiry in 2018 and the Australian Law Reform Commission Report on Serious Invasions of Privacy in the Digital Era.
The proposed changes foreshadowed in the Issues Paper have several implications for financial services providers as entities that deal with large volumes of personal information.
The Issues Paper considers whether the definition of 'personal information' should be expanded to include technical data and online identifiers, including IP addresses, location data and device identifiers. Additional regulatory protection for de-identified, anonymised and pseudonymised information has also been suggested.
The Issues Paper also proposes a review of the current exemptions to the operation of the Privacy Act, especially the employee records exemption. The Privacy Act currently exempts personal information relating to the employees' work related activities (i.e. employee records) from the operation of the Privacy Act. The scope of this exemption may be narrowed or it may be removed altogether.
In December 2020, the OAIC provided their response to the Submissions paper. The OAIC recommended a number of changes across the Act. These amendments are driven by the OAIC's desire for a greater emphasis on the rights of individuals and the obligations of entities to protect those rights to ensure the public interest is served by privacy law into the next decade.
Requiring consent to (as opposed to notice for) the collection and disclosure of personal information has also been identified as a key area for reform in the Issues Paper. Reforms may be made in the following areas are being considered:
The Issues Paper also covers proposals for harsher civil penalties and new enforcement actions for breaches of the Privacy Act.
As noted earlier, the Australian Government is already planning to increase the maximum penalty for serious or repeated breaches of privacy, which currently sits at $2,100,000, to a maximum penalty of the greater of:
There are also planned amendments to provide the OAIC with new infringement notice powers. These powers will be backed by new penalties of $63,000 for bodies corporate for failure to cooperate with efforts to resolve minor breaches.
The Issues Paper is also considering the introduction of a right for individuals to bring direct actions and class actions against organisations to seek damages for harm suffered as a result of an interference with their privacy (which may be evidenced by a notifiable data breach). A possible statutory tort of 'invasion of privacy' has also been raised.
The proposed reforms demonstrate a shift away from reliance on principles towards prescriptive provisions, towards heavier more rigurously applied penalties for privacy breaches. As companies that collect a large volume of personal information from their customers, this increased oversight has several implications for providers of financial services:
When undertaking pre‑incident work or responding to incidents, you need a team that knows how to best prepare you for and remediate the incident, engage with both privacy and corporate regulators and to guide you to a more resilient place to recover.
John Moran is a recognised leader in both D&O liability claims, and cyber security and cyber incident response. He is uniquely placed to advise organisations about cyber incident planning and liability and exposures resulting from cyber incidents.
Alec Christie is a leading digital law, data protection and privacy lawyer. With over 30 years' experience, Alec has a national and cross-border Asia Pacific practice with an emphasis on privacy and cyber security compliance, digital transformations, blockchain, smart contracts and cryptocurrencies. He has particular expertise in pre-incident support and helping clients enhance their privacy, cyber and digital resilience.
Avryl Lattin leads Clyde & Co's Australian resilience team. She regularly advises clients on corporate governance and regulatory issues in the context of ASIC, APRA and ACCC investigations and has assisted many financial services companies manage the corporate regulatory implications of a data breach.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response and privacy practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breaches and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness through to defence of regulatory investigations and proceedings, we assist clients globally with their privacy and cyber security and resilience needs.
Australia: + 61 2 9210 4464
New Zealand: 0800 527 508