Australia: Cyber Risk For Australian Accounting, Tax And Financial Services Firms

Last Updated: 11 April 2018
Article by Matthew Pokarier and Ben Di Marco

Australian accounting and financial services firms are key targets for data breaches as the client, staff and commercial records they hold are commonly used to commit tax-refund fraud, superannuation fraud, identity theft and financial fraud against firm clients. This article provides an overview of some of the legal and regulatory risks facing Australian firms when they suffer serious third party intrusions or lose personal or sensitive records.


Many Australian financial services organisations are now subject to Australia's Mandatory Data Breach Notification Regime (which came into effect on 22 February 2018) and must now promptly investigate and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where an "eligible data breach" occurs.

Financial services firms are stewards of sensitive client information and have common law and statutory duties to protect their clients and their clients' data. They must take reasonable steps to protect the data in their custody and control, and to carefully investigate third party intrusions and security events. Consequently, where a firm suspects it may have suffered a data breach, specialist legal advice should be sought as soon as possible. Consistent with their obligations to protect personal information, firms should also consider the following as part of their compliance and response strategy:

  • Events leading to an intrusion can demonstrate substantive breaches of obligations the organisation may owe under the Privacy Act 1988 (Cth) (Privacy Act).
  • From 22 February 2018, organisations must investigate suspected data breaches, and notify the Australian Information Commissioner and impacted individuals if they suffer an "eligible data breach".
  • Data breach events can potentially contravene legislative prohibitions that organisations cannot request, record, use or disclose tax file numbers for non-permitted purposes.
  • Guidance has been provided by the Australian Tax Office (ATO) for managing data breach incidents, and the ATO has requested that it be notified of certain data breach events.
  • Firms owe common law, contractual, statutory and fiduciary duties that should be carefully analysed in the course of triaging and responding to breach events.What records are targeted?

What records are targeted?

The ATO guidelines describe a data breach as an event that occurs when confidential information "has been accessed by an unauthorised third party".1 Commonly, attacks against financial services firms target confidential information, including employee payroll data, tax and superannuation information, confidential business documents, banking details, and any personal information in the care, custody, or control of an organisation.

Privacy Act obligations

The Privacy Act regulates how Australian organisations can collect, protect, use and disclose personal information.2 Personal information is defined as information or an opinion (which may not necessarily be true) about an identified individual, or an individual who is reasonably identifiable3 and commonly includes client information such as tax file numbers, bank account details, full names, address details or phone numbers.

A key obligation is contained in APP 11.1 of the Privacy Act, which requires an organisation to take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure. Other relevant obligations include taking reasonable steps to destroy or de-identify personal information that is no longer needed, and to only use or disclose personal information for the purpose for which it was collected. Compliance with these obligations requires consideration of all relevant circumstances and the individual protections and procedures adopted by the firm.

Financial services and tax firms must be mindful of their Privacy Act obligations due to the volume of personal information which they collect, and the extent to which this information is relied upon to deliver services to their clients. These organisations must also carefully consider the relationships they have with third party providers, as they can be responsible for any losses of personal information that are caused by those services providers.

The OAIC enforces compliance with the Privacy Act and has the power to investigate privacy complaints, commence an own motion investigation, accept an enforceable undertaking, and impose civil penalties of up to 2000 penalty units upon a non-compliant entity.

Mandatory Data Breach Notification Regime

Australia's new Mandatory Data Breach Notification Regime commenced on 22 February 2018 and will require many financial and tax firms to notify the Australian Information Commissioner of suspected data breaches affecting personal information, credit information or tax file numbers. A breach of this notification obligation may attract significant fines, and result in investigations by the OAIC.

Tax File Number obligations

The Taxation Administration Act 1953 (the TA Act) and the Privacy (Tax File Number) Rule 2015 (TFN Rule) limit the ways in which organisations can use Tax File Numbers (TFNs). Under the TA Act, it is an offence to request, record, use or disclose TFNs unless as strictly permitted by the legislation. Breaches of these provisions can result in a fine of up to 100 penalty units and/or two years imprisonment.

The TFN Rule further prohibits tax professionals, and any TFN recipient, from recording, collecting, using or disclosing TFN information unless permitted under taxation, personal assistance or superannuation law. A TFN recipient includes any person, agency, organisation or other entity that is in possession or control of a record that contains TFN information, such as tax agents and accountants.

The Australian Information Commissioner is equipped with powers to monitor practices relating to TFNs and evaluate compliance with the TFN Rule, investigate the security and accuracy of TFN information an organisation holds, and provide advice to TFN recipients regarding their privacy obligations.

Where financial services firms hold TFN records, specific steps should be taken to ensure these records are protected, and that policies and procedures are in place to demonstrate compliance with the TA Act and the TFN Rule.

The ATO's role and recommendations

The ATO has recommended that financial services firms report data breaches to the ATO in order to reduce the risk of fraud events being committed against Australian citizens.4 The ATO also recommends that affected businesses inform impacted clients and staff of a data breach and to contact the relevant software provider if a data breach incident originated in one of their service offerings.

Engaging with the ATO after a data breach can provide an organisation with valuable resources and support, however any notification should be carefully considered in light of the organisation's legal and regulatory obligations and specialist legal advice should be sought in this regard.

The ATO can take steps to help protect compromised client records through monitoring processes, identification alerts, and by assigning a data breach manager to an affected practice. The ATO has provided recommendations on the steps organisations should take to meet their data security and privacy obligations and has recommended (amongst other things) that organisations take steps to ensure that security software and controls are up to date, and that systems access is reviewed to remove employees who no longer require it.5

Firm should familiarise themselves with these recommendations and consider the adequacy of their internal policy and procedure documents. Where there is uncertainty around the adequacy of policy and internal governance documents, legal advice should be sought.

Other legal duties

Financial services and taxation firms also owe common law and fiduciary duties to their clients, which require firms to take reasonable steps to protect their clients from harm, exercise due care and skill in their dealings, and comply with duties of confidence they owe to clients. Other legal obligations can arise from the terms of specific client retainers, the terms of third party contracts and under the principles of equity.

In overseas jurisdictions, accounting and financial service firms that suffer data breaches commonly face third party claims which:

  • Demand compensation for individuals impacted by a breach;
  • Seek recovery of costs and expenses incurred by third parties to remediate fraud which resulted from the breach;
  • Demand termination of a contract and/or pursue contractual damages on behalf of customers, suppliers and business partners; and
  • Can include allegations that security events were caused by a breach of a director's duties.

These organisations are also commonly subject to investigations and complaints made to regulatory bodies.

The impact of the potential third party risks should be carefully considered when developing a strategy to respond to any significant breach event.

Increasingly, firms are also considering their recovery options for data breach losses, and the extent to which third party providers may be liable for a security event sustained by an organisation. This is developing area, and obtaining prompt legal advice can help firms identify potential recovery avenues


1 Australian Taxation Office, Australian Government, Data Breach Guidance for Tax Professionals (19 January 2018) .

2 The obligations apply to any organisation that meets the definition of 'APP entity' under s 6(1) of the Privacy Act 1988 (Cth) and are housed within the Australian Privacy Principles listed in Schedule 1.

3 Privacy Act 1988 (Cth) s 6.

4 Australian Taxation Office, above n 2.

5 Australian Taxation Office, above n 2.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions