ATO releases data breach guidance for professionals
With the notifiable data breaches scheme to commence from 22 February, the ATO has released updated guidance for tax professionals for dealing with data breaches and protecting against refund and superannuation fraud.
In a public communication on its website, the ATO said tax professionals hold a large amount of client, staff and business information, and have therefore become a target for identity thieves.
“Tax professionals who experience a data breach may discover their clients' identities have been stolen, and refund fraud committed in the client's name,” said the ATO.
A data breach occurs, the ATO explained, when confidential taxpayer information has been accessed by an unauthorised third party.
Examples can include unauthorised removal of computers, data or records in both paper and digital formats; criminals exploiting vulnerabilities in IT security controls, hacking or phishing for information; or people with legitimate access to the data using it for fraudulent means, said the ATO.
It could also include accidental disclosure of information, for example, records emailed to an unauthorised third party or hard copies left in a public place, the ATO said.
“Tax professionals are encouraged to report data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm,” the ATO recommended.
The ATO said that were a firm has experienced a breach it recommends that the practitioner contacts the ATO as soon as practicable and contacts the Office of the Australian Information Commissioner (OAIC) to ensure that they comply with any obligations under the Notifiable Data Breach Scheme (NDBS).
“Data breaches are often a precursor for refund fraud. The ATO has sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud that assist in meeting our obligation to protect government revenue,” it stated.
The tax professional should also inform impacted clients and staff of the data breach and contact their software supplier if they suspect the breach may have originated in one of their service offerings.
“Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to cancel your AUSkey,” the ATO advised.
“Take steps to secure the information in your business by ensuring all security software and controls are up-to-date [and] review systems access and remove it for people who no longer require it.”
The ATO said that if a data breach occurs within a practice, it may implement a range of additional safeguards to protect clients and government revenue.
“We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client,” said the ATO.
“The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not prevent you from dealing with us on behalf of your client or change how we will identify you.”
The tax office said it will also continue to monitor the client’s ATO records where a breach has occurred.
“If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms,” it explained.
“Depending on your client’s circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to clients, government revenue or both.”
In some cases, the ATO said it may assign a data breach manager who will assist professionals in the management of data breaches within their practice.
“The data breach manager may provide support to lessen the impact of the data breach on your practice and your client,” said the ATO.
“Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.”