Key Messages – steps your entity should take to protect and respond to a cyber incident involving CDR data

The purpose of the CDR is to facilitate (with the consumer’s consent) secure data sharing between service providers to enable consumers to compare products and services and access new products.

When consumers hand over their data to a person to obtain goods or services, they expect the entity to keep their data safe and secure and to protect the data from unauthorised access or misuse. They also expect the entity to have processes in place to respond to suspected or actual data security breaches.

CDR participants have obligations to notify breaches involving CDR data. Persons who otherwise deal with CDR data should ensure they implement best practice processes in relation to the data security breaches and the notifiable data breaches scheme.

Obligations that apply to CDR entities and persons handling CDR data

  • Accredited persons have obligations under the Competition and Consumer Act 2010 to comply with the notifiable data breaches scheme in Part IIIC of the Privacy Act 1988 which includes notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) about eligible data breaches. Guidance about those obligations is available on the OAIC website: About the Notifiable Data Breaches scheme.
  • CDR representatives and outsourced services providers must comply with the requirements in Schedule 2 of the Competition and Consumer (Consumer Data Right) Rules 2020 which requires them to have a CDR data security response plan. This must include procedures to notify the Information Commissioner about CDR data security breaches to as required under Part IIIC of the Privacy Act.  In addition to this, the OAIC recommends these entities should also report the data breach to their CDR or OSP principal so that it can take steps to contain, asses, review and notify the breach where appropriate.
  • A quick response to a data breach is critical to effectively managing a breach. The OAIC considers it is best practice for any person who handles CDR data to have a CDR data security response plan in place which helps it mitigate and respond to a cyber incident, this includes unaccredited third parties such as trusted advisers.
  • A data security response plan should outline an entity’s strategy for containing, assessing and managing the breach incident from start to finish.
  • The OAIC’s Data breach preparation and response guidance will assist persons who handle CDR data to develop, maintain and implement CDR data security response plans.
  • A cyber incident involving CDR data may also enliven responsibilities and obligations for CDR entities under the Privacy Safeguards in Pat IVD of the CCA, for example:
    • Privacy Safeguard 11 requires data holders who are required or authorised to disclose CDR data under the CDR Rules, and accredited data recipients who are disclosing CDR data when required or authorised under the CDR Rules, to take reasonable steps to ensure that the CDR data is accurate, up-to-date and complete. They must advise consumers in accordance with the CDR Rules if they become aware that the CDR data disclosed was not accurate, up to date and complete when disclosed.
    • Privacy Safeguard 4 requires an accredited person to destroy unsolicited data (any CDR data that has been collected from a data holder or accredited data recipient purportedly under the CDR Rules, but that it did not seek to collect, such as inaccurate CDR data relating to another consumer(s)) as soon as practicable.

Top tips for preparing for and responding to a cyber incident

The ongoing threat and increased sophistication of cyber incidents reinforces the need for organisations using the CDR to have robust information handling practices and an up-to-date data breach response plan. Steps your entity can take to mitigate the risk and impact of a cyber incident include:

  • have an up-to-date CDR data security response plan setting out timeframes and clear lines of authority and responsibility for staff when responding to a cyber incident
  • have a deep understanding of what kind(s) of personal information your entity holds and where that information is stored. As part of this, you should also know what specific systems your entity uses, who has access to those systems and what privileges users have within those systems
  • ensure that your entity’s data is backed up frequently and stored securely
  • ensure your contractual arrangements with third party providers specify accountabilities in the event of a suspected or actual data breach that involve multiple parties, including the party that is responsible party for assessing the data breach and potential harm to affected individuals, notification, the provision of information and other matters relevant to investigating data breaches
  • implement access security controls and procedures to protect against internal and external risks by ensuring that personal information is only accessed by authorised persons. This will also assist with prompt identification of risks and breaches
  • use audit logs and access monitoring – records of system activities by internal and external users to assist your entity to detect cyber security events and investigate and determine the extent of cyber security incidents.

The Guidance for entities in preparing for and responding to cyber incidents sets out the steps entities can take to mitigate the risk and impact of a cyber incident, minimise harm to individuals in the event of a data breach and the recommended steps to prevent a cyber incident. This is simple guidance that all entities can apply.