You may wish to contact your email system administrator or your internet service provider or review your email configuration settings.

Email is generally not a secure form of communication and you should develop procedures to manage the transmission of data, including personal information, via email. Further information and considerations about sending personal information via email can be found in the Office of the Australian Information Commissioner’s (OAIC) Guide to securing personal information. 

We have recently released a practice note which provides practical guidance and assistance to registered tax practitioners if they choose to use and disclose a client’s tax file number (TFN) and TFN information in email communications, to ensure compliance with the client confidentiality obligation under the Code of Professional Conduct. It highlights how TFNs and TFN information are protected by various legislative frameworks (which are not administered by us), such as the Privacy Act 1988 (Cth), Privacy (Tax File Number) Rule 2015 and specific offence provisions under the Taxation Administration Act 1953 (Cth). Of note, TFN recipients must take reasonable steps to protect TFN information from, amongst other things, unauthorised access, use, modification, or disclosure.

As your question specifically relates to the handling of TFNs for new staff members, we suggest contacting the Office of the Australian Information Commissioner and/or the Australian Taxation Office and refer to the information published on their websites, as they are primarily responsible for the administration of the laws relating to TFNs.

Taking steps to encrypt data reduces the risk of an unauthorised individual obtaining access to data on the document.

We have released a practice note to help you understand your obligations when using and disclosing TFNs in email communications. This follows consultation on a draft guidance and incorporating the feedback received.

Once an agent has assessed the risk of a cyber-attack, the TPB recommends they consider whether they require additional protection against cyber threats, including losses that an agent may suffer from a cyber-attack (first party losses). Find out more about our PI insurance requirements.

We highly recommend cyber insurance, but it is not compulsory.

Not necessarily, but there are a number of factors to consider before entering an outsourcing or offshoring arrangement. You can find more information in our outsourcing and offshoring practice note. 

A brute-force attack is where malicious or criminal actors use automated software to generate a large number of consecutive guesses as to the value of the desired data, for example passwords.

Data breaches can be caused or exacerbated by a variety of factors, involving different types of personal information, and give rise to a range of actual or potential harms to individuals and entities. As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks. Generally, the actions taken following a data breach should follow four key steps:

1. Contain the data breach to prevent any further compromise of personal information.

2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.

3. Notify individuals and the OAIC, if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.

4. Review the incident and consider what actions can be taken to prevent future breaches.

We cannot provide advice about whether a specific data breach is notifiable. To determine whether you need to notify, you should consider the following:

• Does the Privacy Act apply to me? 

• Has there been a data breach that is an unauthorised disclosure, or a loss of personal information I hold?

Contraventions of certain provisions of the NDB scheme, including the requirement to notify individuals in the event of an eligible data breach, are subject to a range of existing regulatory and enforcement powers available to the Information Commissioner under the Privacy Act. The Commissioner’s powers range from investigating and conciliating a complaint, to making a determination, including to redress any loss or damage suffered by the complainant, to applying to the Federal Court for a civil penalty order in the event of a serious or repeated interference with privacy.

Protecting yourself against cyber-attacks involves more than simply installing security software. Of course, ensuring you have reputable antivirus and antimalware security software is a good first step and some software providers even provide free versions that are quite capable. Generally however, it’s recommended that individuals or small and medium organisations refer to the guiding principles created by the Australian Cyber Security Centre. You may also want to consult with an IT consultant or expert to find a solution that best meets your needs.

VPNs seem like the perfect tool for the job – they encrypt and anonymise our data, keeping it secure and away from prying eyes. But things can get complicated, any technology poorly implemented or maintained can create security risks that the user didn’t intend. It’s worth ensuring you have engaged a trustworthy partner to help with your cloud security solutions. If you see something or aren’t sure about your or your client’s security, it’s important to ask.

If you’re unsure about the identity of the caller don’t provide any personal information and call the ATO directly on 13 72 86.

Commercial software providers can develop products which connect to the ATO through their Application Programming Interface (API). The ATO requires all Digital Service Providers (software developers) to comply with the DSP Operational Framework. This is a set of security requirements to protect the integrity of the ATO, its clients and their data. The ATO has published a list of commercial products using APIs on their product register. The information about the product register advises ‘all products listed on the register are complying with the ATO’s Operational Framework requirements’. If you require more information about the DSP Operational Framework or ATO product register you can contact the ATO’s Digital Partnership Office. Also, if you have any questions about the security of your accounting product, we recommend contacting your software provider.

Cybercrime is becoming a significant issue in today’s digital age. Criminals identify sophisticated ways to find vulnerabilities through scams, hacks, or old school theft by break-in, to obtain client identifiable data in order to commit fraud. This is one of the reasons why we have reviewed our guidance and released papers for consultation on strengthening client verification. You can find more information in our draft practice note on proof of identity requirements for client verification and the ATO’s consultation paper, Transition to strengthening client verification.

There are also many websites which provide hints and tips to keeping your data, including passwords, secure. An example is the Australian Cyber Security Centre – they have some helpful tips on easy steps to secure your devices and accounts. To maintain a high level of security, passwords should be kept secure and should only be known by the person who owns the access/password, therefore storing of a password in a non-secure manner on a computer is not recommended. We recommend you consider ‘password safe’ programs, many of which support multifactor authentication for added security, which have the capacity to help you securely store passwords and other account details on your computer.