17 Nov 2021 This week in tax
In last week’s TaxVine, the first preamble in a two-part series, The Tax Institute’s Risk Officer, Michelle Greenfield, considered the Notifiable Data Breaches (NDB) scheme and some recent findings. Given the increased activity by scammers, media reporting of victims and government focus on safeguarding data, it is timely to remind our members about your obligations to report certain data breaches. This week, Michelle worked with the Australian Taxation Office (ATO) and Tax Practitioners Board (TPB) for Part 2 which considers practical guidance for practitioners.
Notifying data breaches … practical guidance
Tax Practitioners Board perspective
Registered tax practitioners already have obligations to protect TFN information under the Privacy (Tax File Number) Rule 2015 and the Taxation Administration Act 1953.
A failure by a tax practitioner to comply with the NDB scheme may be considered by the TPB in determining whether they have breached the Tax Agent Services Act 2009 (TASA), including the Code of Professional Conduct (Code). Item 6 of the Code (about confidentiality) requires that a registered tax agent must not disclose information relating to a client’s affairs to a third party without the client's permission or without a legal duty to do so.
If a registered tax agent has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.
The TPB recommends all tax practitioners review their practices, procedures and systems for securing personal information to comply with NDB scheme. The TPB recommends that you consider:
- reviewing current information security practices, procedures and systems to ensure they are adequate, including taking steps to ensure all security software and controls are up to date, and to remove accesses from people who no longer require these accesses;
- preparing a data breach response plan (or updating a current plan) to ensure the ability to respond quickly to suspected data breaches;
- providing training to relevant staff as to any role they may have in responding to data breaches.
From a tax perspective, security of information provided to you by your clients is an important aspect of operating your practice. It is crucial that all your business, staff and client information is kept secure, because if your data is lost or compromised, it can be very difficult and costly to restore.
Implications of data breaches
Data breaches often lead to refund fraud. The ATO has sophisticated methods in place to identify and protect against potential tax and superannuation fraud.
The ATO provides these examples of data breaches:
- unauthorised removal of computers, data, or records in both paper and digital formats;
- people with legitimate access to data using it for fraudulent activity;
- accessing taxpayer files using a fraudulently obtained credential, such as myGovID;
- criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information;
- accidental disclosure of information, for example, records emailed to an unauthorised third party or hard copies left in a public place;
- payroll information for your employees being unlawfully accessed;
- unauthorised access to cloud-based services you use to store information.
The implications of a data breach include the following:
- The ATO may ask for additional proof of record ownership before they discuss the tax affairs of a taxpayer, and may request that the taxpayer contacts the ATO directly even if they have an agent.
- The ATO will continue to monitor any impacted ATO records to ensure transactions on these accounts are accurate. If any irregular activity is identified, the ATO may contact you or your client to verify the accuracy of the information provided or the legitimacy of any account activity. This could delay processing of tax returns and other forms.
- Depending on the nature of the breach, additional security measures may be applied such as:
- an inability to use the ATO’s online channels or myGov;
- unavailability of pre-fill data;
- preventing business activity statements from issuing automatically — the ATO would need to be contacted before each lodgment so the statements can be generated; and
- making extra checks for tax returns and other forms that could delay processing.
How does the ATO respond to reports of data breaches?
Every year, the ATO works closely with agents and their clients who have been the victim of a data breach. The most commonly reported breaches to them are:
- Unauthorised system access (e.g. passwords have been compromised, a staff member clicks a link in a phishing email which captures their login details);
- Physical break-ins (e.g. resulting in a stolen laptop with client records); and
- Ransomware attacks where data has been exposed to cyber criminals.
Once the breach is known to the ATO, the ATO can add protections to user accounts and monitor for unusual behaviour. However, while this data loss may impact these agents and clients when interacting with the tax and superannuation systems, it can also have far wider impacts for the affected individuals and businesses in the wider community and economy. Unfortunately, these effects can be long lasting and can be quite stressful on all concerned, so prevention is the best strategy.
If you have experienced a breach, the ATO recommends contacting their Client Identity Support Centre as soon as possible on 1800 467 033 Monday to Friday, 8:00am–6:00pm (AEST) so that the ATO can apply measures to protect your business, staff and clients. Further, if you or your clients are concerned about the security of other personal information and the wider impact of identity theft, the ATO recommends you speak with IDCARE on 1800 595 160. IDCARE provides advice and confidential support to victims of data breaches and identity theft beyond the tax and superannuation systems.
For more information on data breaches, how to report them and what steps the ATO takes to protect and monitor accounts, please visit the ATO webpage: Data breach guidance for tax professionals.
Our Tax Policy Assistant, Zoe Beesley, has posted in Community about this preamble. Join the conversation and share your thoughts and ideas on the NDS scheme.
As always, we welcome your views and thoughts, which you can provide here.
Risk Officer, The Tax Institute