Go to top of page

Preventing data breaches – questions and answers

12 May 2021

Preventing data breaches – Questions and answers

We have compiled some of the questions we received during our webinar – Preventing data breaches.

Email security

Professional indemnity insurance

Cyber attacks

Data breaches

Preventative measures


Email security

I am facing a problem with my emails. Some of them don't reach their destination. Could that be a cyber-attack?

You may wish to contact your email system administrator or your internet service provider or review your email configuration settings.

Is it considered ‘incompetent’ to transfer data via email?

Email is generally not a secure form of communication and you should develop procedures to manage the transmission of data, including personal information, via email. Further information and considerations about sending personal information via email can be found in the Office of the Australian Information Commissioner’s (OAIC) Guide to securing personal information

I sometimes get emailed TFNs for new staff members. Should I stop this procedure to protect the TFN and find other means of receiving it remotely?

We have recently released a practice note which provides practical guidance and assistance to registered tax practitioners if they choose to use and disclose a client’s tax file number (TFN) and TFN information in email communications, to ensure compliance with the client confidentiality obligation under the Code of Professional Conduct. It highlights how TFNs and TFN information are protected by various legislative frameworks (which are not administered by us), such as the Privacy Act 1988 (Cth), Privacy (Tax File Number) Rule 2015 and specific offence provisions under the Taxation Administration Act 1953 (Cth). Of note, TFN recipients must take reasonable steps to protect TFN information from, amongst other things, unauthorised access, use, modification, or disclosure.

As your question specifically relates to the handling of TFNs for new staff members, we suggest contacting the Office of the Australian Information Commissioner and/or the Australian Taxation Office and refer to the information published on their websites, as they are primarily responsible for the administration of the laws relating to TFNs.

Is encrypting all attached documents that contain a tax file number in emails considered best practice?

Taking steps to encrypt data reduces the risk of an unauthorised individual obtaining access to data on the document.

We have released a practice note to help you understand your obligations when using and disclosing TFNs in email communications. This follows consultation on a draft guidance and incorporating the feedback received.

Back to Top ↑

Professional indemnity insurance

Does the TPB recommend cyber insurance?

Once an agent has assessed the risk of a cyber-attack, the TPB recommends they consider whether they require additional protection against cyber threats, including losses that an agent may suffer from a cyber-attack (first party losses). Find out more about our PI insurance requirements.

As a registered tax practitioner would I be in breach of my obligations to the TPB if I don’t have PI insurance coverage for cyber-attacks?

We highly recommend cyber insurance, but it is not compulsory.

Cyber attacks

Does outsourcing tasks to overseas accounting firms make me more vulnerable to data leaks and cyber-attacks?

Not necessarily, but there are a number of factors to consider before entering an outsourcing or offshoring arrangement. You can find more information in our outsourcing and offshoring practice note

What is a ‘brute-force attack’?

A brute-force attack is where malicious or criminal actors use automated software to generate a large number of consecutive guesses as to the value of the desired data, for example passwords.

Back to Top ↑

Data breaches

How do I respond to a data breach?

Data breaches can be caused or exacerbated by a variety of factors, involving different types of personal information, and give rise to a range of actual or potential harms to individuals and entities. As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks. Generally, the actions taken following a data breach should follow four key steps:

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
  3. Notify individuals and the OAIC, if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

Would it constitute a data breach if a client provided me with incorrect contact information and I subsequently sent sensitive documents to the wrong address?

We cannot provide advice about whether a specific data breach is notifiable. To determine whether you need to notify, you should consider the following:

  • Does the Privacy Act apply to me? 
  • Has there been a data breach that is an unauthorised disclosure, or a loss of personal information I hold?

Is it true that the Notifiable Data Breaches scheme does not apply to entities not covered by the Privacy Act (which for most tax agents would be those with more than a $3 million turnover)?

Where a tax agent has an annual turnover less than $3 million but they are TFN recipients, their handling of TFN information may still be subject to the Privacy Act 1988 and therefore the Notifiable Data Breaches (NDB) scheme.

What penalties are imposed on organisations that continue to suffer data breaches?

Contraventions of certain provisions of the NDB scheme, including the requirement to notify individuals in the event of an eligible data breach, are subject to a range of existing regulatory and enforcement powers available to the Information Commissioner under the Privacy Act. The Commissioner’s powers range from investigating and conciliating a complaint, to making a determination, including to redress any loss or damage suffered by the complainant, to applying to the Federal Court for a civil penalty order in the event of a serious or repeated interference with privacy.

Back to Top ↑

Preventative measures

Where can I find information about the ‘reasonable’ practices and strategies (e.g. security software) I should be implementing in order to protect myself against cyber-attacks?

Protecting yourself against cyber-attacks involves more than simply installing security software. Of course, ensuring you have reputable antivirus and antimalware security software is a good first step and some software providers even provide free versions that are quite capable. Generally however, it’s recommended that individuals or small and medium organisations refer to the guiding principles created by the Australian Cyber Security Centre. You may also want to consult with an IT consultant or expert to find a solution that best meets your needs.

Does a VPN protect from data breaches and cyber-attacks?

VPNs seem like the perfect tool for the job – they encrypt and anonymise our data, keeping it secure and away from prying eyes. But things can get complicated, any technology poorly implemented or maintained can create security risks that the user didn’t intend. It’s worth ensuring you have engaged a trustworthy partner to help with your cloud security solutions. If you see something or aren’t sure about your or your client’s security, it’s important to ask.

The ATO often call agents for a variety of reasons.  How should agents verify that it is in fact the ATO making the call and not a scam?

If you’re unsure about the identity of the caller don’t provide any personal information and call the ATO directly on 13 72 86.

Do I need to audit the security of the accounting software I use?

Commercial software providers can develop products which connect to the ATO through their Application Programming Interface (API). The ATO requires all Digital Service Providers (software developers) to comply with the DSP Operational Framework. This is a set of security requirements to protect the integrity of the ATO, its clients and their data. The ATO has published a list of commercial products using APIs on their product register. The information about the product register advises ‘all products listed on the register are complying with the ATO’s Operational Framework requirements’. If you require more information about the DSP Operational Framework or ATO product register you can contact the dpo [at] ato.gov.au (ATO’s Digital Partnership Office). Also, if you have any questions about the security of your accounting product, we recommend contacting your software provider.

If you save passwords on a computer would you be liable if someone broke in and used or stole your computer and was able to access all your information?

Cybercrime is becoming a significant issue in today’s digital age. Criminals identify sophisticated ways to find vulnerabilities through scams, hacks, or old school theft by break-in, to obtain client identifiable data in order to commit fraud. This is one of the reasons why we have reviewed our guidance and released papers for consultation on strengthening client verification. You can find more information in our draft Practice Note on proof of identity requirements for client verification and the ATO’s consultation paper, Transition to strengthening client verification.

There are also many websites which provide hints and tips to keeping your data, including passwords, secure. An example is the Australian Cyber Security Centre – they have some helpful tips on easy steps to secure your devices and accounts. To maintain a high level of security, passwords should be kept secure and should only be known by the person who owns the access/password, therefore storing of a password in a non-secure manner on a computer is not recommended. We recommend you consider ‘password safe’ programs, many of which support multifactor authentication for added security, which have the capacity to help you securely store passwords and other account details on your computer.

Back to Top ↑

Last modified: 12 May 2021