The Australian Cyber Security Centre (ACSC) has reported that over 2020–21, it received more than 67,500 cybercrime reports — an increase of nearly 13 per cent from the previous year. This increase equates to one report of cyber attack every eight minutes compared to one every 10 minutes in the previous year. The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. Nearly half of reported incidents were categorised as having ‘substantial’ impact.
All sectors of the Australian economy — government agencies, large organisations, critical infrastructure providers, SMEs, individuals — were targeted.
The ACSC identified the exploitation of the pandemic environment as one major cyber security trend seen in 2020–21. In addition, business email compromise continues to present a major threat to Australian businesses and government enterprises, especially as more Australians work remotely. In 2020–21, the average loss per successful event was more than $50,600 — more than 150% higher than the previous year.
Note: October is Cyber Security Awareness Month.
Tax professionals are amongst those who have shifted their operations from the office to their homes for extended periods, particularly in Victoria, NSW and the ACT. This has inevitably been accompanied by a need to address online security matters for the practice as a whole, for each practitioner or employee working via their home internet networks, and for their clients.
The ATO website contains cyber security guidance to protect practitioners’ businesses and clients. In addition, protecting client data is an obligation of registered agents, regardless of work restrictions, and a revisit of the TPB’s longstanding guidance on cyber security insurance is particularly timely.
While there is an end in sight to protracted stay-at-home orders, remote work arrangements and the online exchange of sensitive client information will not be disappearing. Cyber security guidance remains relevant and tax practitioners need to ensure their security systems and policies remain robust to address ongoing and emerging threats.
ATO cyber security guidance
The ATO has developed some resources to assist tax professionals with improving their cyber security.
It recommends that tax professionals:
- check the proof of identity for all new clients and question any discrepancies;
- only lodge for clients whose identity the agent has confirmed;
- ensure computer security systems are up to date and protected against cyber attacks;
- discuss the importance of securing personal information with staff; and
- ensure staff understand what is appropriate to discuss on social media or via email.
The advice is developed in consultation with the Cyber Security Stakeholder Group (CSSG), a group of tax practitioner industry associations and other industry partners, such as software developer associations.
In addition, an online security self-assessment tool for businesses and tax professionals is available on the ATO website.
How data breaches affect tax professionals
A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.
Examples of data breaches include but are not limited to:
- unauthorised removal of computers, data, or records in both paper and digital formats;
- people with legitimate access to the data using it for fraudulent means;
- accessing taxpayer files using a fraudulently obtained credential, such as myGovID;
- criminals exploiting vulnerabilities in IT security controls, hacking or phishing for information;
- accidental disclosure of information — for example, records emailed to an unauthorised third party, or hard copies left in a public place;
- payroll information for employees being unlawfully accessed; and
- unauthorised access to cloud based accounting software.
An unlawful acquisition of client information can occur not only from cyber attacks conducted remotely, but also from an in-person theft of tangible equipment and paper documents.
The ATO notes that reports of stolen equipment and data are a regular occurrence. Methods of theft include dumpster diving, letterbox theft, unattended paper or electronic files, theft from wallets, and theft of briefcases or laptops.
The ATO has reported that in one instance, a tax agent had their laptop and documents containing confidential client information stolen from their car. Subsequently, it appeared that the stolen data was used to commit identity theft and to lodge fraudulent PAYG summaries using the clients’ accounts.
How the ATO will handle data breaches
Where a client has been a victim of a data breach, options can include one or more of the following depending on the severity of the breach and any resultant fraud attempts:
- The ATO may require additional proof of identity from the client.
- The ATO may conduct additional monitoring of the client’s accounts and contact the agent or the client to ensure any detected irregular activity is legitimate. This may delay the processing of income tax returns and other forms.
- The ATO may apply additional security measures to prevent particular activity where there is perceived increased risk to clients, government revenue or both. Potential implications include that:
- the client record may not be accessible through online channels or myGov;
- pre-fill data may not be available;
- business activity statements may not issue automatically; the tax or BAS agent will need to request the ATO to generate these statements; and
- the ATO may delay income tax returns and other forms for verification.
- The ATO may assign a data breach manager to assist and support the agent and the client.
Other government resources
Other government bodies with relevant guidance and information include the following:
- The Office of the Australian Information Commissioner (OAIC) website provides guidance material to assist tax practitioners with complying with their obligations under the Privacy Act 1988 (the Privacy Act), including the Notifiable Data Breaches Scheme (NDBS) — see below for more information.
- Note: The TPB website provides information on how compliance with the NDBS can impact an agent’s TPB registration.
- IDCARE can be contacted for free advice and confidential support for victims of data breaches and identity theft.
- The practice should report any unauthorised access to its myGovID.
Tax agents’ statutory obligations
Implementing strong cyber security controls is not only good business practice, it is also one way for registered agents to meet their statutory obligations to their clients.
Code item 6 — Confidentiality
One of the key sources of obligations is the Code of Professional Conduct (the Code) in the Tax Agent Services Act 2009 (the TASA). In particular, registered agents must be mindful of Code item 6 (confidentiality) which provides that a registered practitioner must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.
TPB Practice Note TPB(PN) 1/2017 sets out the TPB’s practical guidance to registered agents in relation to their obligations under the Code in respect of the use of cloud computing.
Relevant factors to consider in ensuring compliance with Code Item 6 include, among other things:
- Registered practitioners must obtain permission from each client prior to divulging client information to a third party (including cloud service providers). A general authority consenting to disclosure to third parties may be acceptable. Client permission may be by way of a signed letter of engagement, signed consent, or other communication.
- There should be appropriate controls to maintain confidentiality and integrity (such as encryption) to avoid any information leakage.
If a registered practitioner breaches the Code, including in the context of cloud arrangements, the TPB may impose one or more administrative sanctions, including issuing a written caution or order or suspending or termination of a registered practitioner’s registration.
There may also be commercial and other legal consequences such as an action for damages.
The Privacy Act and the NDB scheme
The Privacy Act sets out a number of Australian Privacy Principles (APPs) which govern the use, storage and disclosure of personal information. Information is available on the OAIC website. The TPB encourages practitioners to seek advice as to whether the provisions of the Privacy Act apply to them.
The Privacy Act also contains the NDB scheme which mandates the reporting of eligible data breaches that occur on or after 22 February 2018.
The NDB scheme requires organisations covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach. Advice must include recommendations about the steps that should be taken in response to the data breach.
The TPB and the ATO do not have oversight of these requirements — which are administered by the OAIC — but tax practitioners must be aware of their obligations.
The TPB in its NDB guidance material notes that a failure of a registered agent that to comply with the NDB rules may be considered in determining whether the agent has breached the TASA, including the Code. In particular, factors to be considered in the context of Code item 6 include:
- Has the tax practitioner taken reasonable steps to have sufficient IT controls in place?
- Was the practitioner reckless in their approach to cyber security?
TPB guidance on client TFN disclosures
The TPB has released Practice Note TPB(PN) 4/2021 to provide practical guidance in relation to using and disclosing a client’s TFN and TFN information in email communications. An email may be vulnerable to unauthorised access during transmission from sender to recipient.
Laws to which a tax practitioner may be subject in relation to TFNs include:
- obligations under the Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under the Privacy Act — which requires that TFN recipients must take reasonable steps to protect TFN information;
- obligations under the Privacy Act and the APPs, including the NDB scheme (TFN recipients are covered by the NDB scheme, in so far as any eligible data breach involves TFN information);
- specific offence provisions under the TAA.
In the Practice Note, the TPB notes that whether a disclosure by a practitioner of a TFN in an unsecured email would amount to an offence under the TAA would be determined by the surrounding circumstances, including the steps taken by the practitioner.
The Practice Note also sets out some suggestions of practical security measures and procedures which tax practitioners may consider to protect the security of TFN information in email communications.
If a registered agent fails to protect the TFNs or TFN information of clients, there may be implications in relation to the TASA — in particular, Code item 6.
Cyber security implications for professional indemnity insurance
Professional indemnity insurance requirements
A registered tax agent, BAS agent or tax (financial services) agent is required to maintain, or to be able to maintain, professional indemnity (PI) insurance that meets the TPB’s requirements in order to maintain registration eligibility.
Failure to maintain appropriate PI insurance may result in sanctions which range from written cautions to suspension or termination of the agent’s registration.
The TPB’s PI requirements are outlined in Explanatory Paper TPB(EP) 03/2010.
Adequate cover is cover that will both:
- adequately indemnify an agent against any civil liability that may arise in the agent’s provision of tax agent or BAS services; and
- reduce the risk that client losses are not compensated by the agent due to the agent having inadequate financial resources or for any other reason.
Whether PI insurance is ‘adequate’ depends on the nature of the agent’s business. Relevant factors may include the volume of business, the number and kind of clients, the types of services provided, the number of employees and the degree of risk.
Cyber insurance cover
While the law does not prescribe the specific features of an adequate policy, the Explanatory Paper sets out the TPB’s recommendations on policy features. This list of features includes cyber insurance cover. Relevantly, once an agent has assessed the risk of a cyber-attack, the TPB recommends they consider whether they require additional protection against cyber threats, including losses that an agent may suffer from a cyber-attack.
These losses are known as ‘first party losses’. First party losses resulting from a cyber-attack that an entity may suffer include ‘denial of service’ attack, costs of rectifying harm done (such as repairing and restoring systems that have been damaged by malicious acts), the costs of improving cyber security, undertaking forensic investigations to identify the source of a cyber-attack, reputational damage and the costs of managing a reputational crisis and extortion costs.
PI insurance policies are limited to responding to losses stemming from a deficiency in the tax agent services provided by the tax practitioner. Therefore, PI insurance policies will generally cover tax practitioner liability for cyber-related events or incidents if the liability arises in relation to the tax practitioner’s provision of tax agent services. This is in contrast with cyber insurance cover, which generally covers for events such as third party cyber liability, first party hacker damage, cyber extortion, data breach notification costs and public relations costs.
Accordingly, the TPB recommends that tax agents and BAS agents obtain additional cyber insurance, in addition to maintaining PI insurance that meets the TPB’s requirements.
Further info and training
Need to catch up on the current tax landscape? We offer online tax training on a monthly basis – join us for a general Tax Update or a more in-depth special topic or presentation.
- November Tax Update
- The value shifting regime
- Small business CGT concessions Part I: The basics
- Small business CGT concessions Part II: Advanced session