7 June 2019

Agents, get serious about cyber security

By Toby Blyth, Peter Moran and Shannon Blain, Colin Biggers & Paisley

The protection of personal information is vital in the real estate industry.

The volume of personal information exchanged and its value (for both legitimate and illegitimate purposes), coupled with the use of smart devices and the proptech revolution, has undoubtedly benefited agencies, but it’s also made them more attractive targets for cyber attacks.

The misuse, loss or unlawful disclosure of personal information has severe consequences. So, do you know your obligations regarding integrity and confidentiality under data protection laws?

Privacy protection

The Australian Privacy Principles determine how organisations must handle, use and manage personal information. But what is "personal information"?

The Privacy Act defines it as “information or an opinion about an identified individual, or an individual who is reasonably identifiable.” This may include a person’s name, address, telephone number or bank account details. Sensitive information – such as a person’s race or religion – is afforded even greater protection.

Given the pace an complexity of the cyber space and pervasive nature of technology, cyber liability insurance is a necessary safeguard for your agency to transact securely with your clients.

A data breach is when information is compromised and has or is likely to result in serious harm to an individual. Given its potential to ruin your agency's reputation, it's no wonder businesses have kept quiet about breaches in the past. Why would you report a hack when you have so much to lose?

But with the introduction of the Notifiable Data Breaches Scheme on 22 February 2018, businesses now have no choice but to report cyber breaches to the Office of the Australian Information Commissioner (OAIC). Failure to notify a breach may result in enforcement action by the OAIC. Where there’s serious or repeated interference, civil penalties may also apply under the Crimes Act 1914 (Cth). Agents may also be liable under general law (such as contract, tort or consumer law) for certain breaches.

If you think it all sounds quite serious, you’re right. It is serious. Very serious.

It could happen to you

Since the start of the Notifiable Data Breaches Scheme, the OAIC has received 305 notifications. In the last quarter alone, 89 per cent of the breaches notified involved the contact information of individuals.

One of the biggest cyber security issues faced by agencies is the threat of phishing attacks. Real estate agents are often targeted because of the high value of personal information held about sellers, buyers, landlords, tenants and other prospects.

In a recent cyber attack, an employee of an agency in Perth discovered an unauthorised trust account withdrawal of $500,000. Fortunately, they reported the incident to the bank before any of the money was collected by the cyber attackers. In this instance, the attackers used malware downloaded to the agency computer system to record keystrokes, ultimately revealing bank login details and passwords. The malware was likely downloaded because someone at the agency opened an attachment on a phishing email or clicked on a website link.

This attack, like many others over the last few years, underlines why agencies not only need to have measures in place to mitigate the risk of data breaches, but also have response procedures to follow up in the event a breach occurs

What you need to do

The liabilities and costs associated with a data breach can place significant operational and financial strain on an agency.

Therefore, agencies should be proactive in implementing data protection measures to mitigate both risk and expense.

Where you become aware of a data breach, the OAIC recommends that you take the following steps:

  1. Review all your systems, including:
    • Technical systems (such as patch procedures, penetration testing services, anti-malware protection and more)
    • Physical systems (for example, locking the office when it’s unattended and how rubbish is disposed)
    • Human systems (such as who has access to what data and whether there are risky generalised procedures in place)
  2. Contact PEXA and your insurer or broker
  3. Contain the breach to prevent further misuse or loss of information (for example, stop the unauthorised practice or recover the lost information)
  4. Carry out a reasonable and expeditious assessment of the breach and, where possible, take remedial action to reduce the risk of harm to individuals. In some instances, it may be possible to prevent a breach from becoming one that’s likely to cause serious harm
  5. Where a breach has caused or is likely to cause serious harm, notify the OAIC and any individuals affected. Notification should contain recommendations about what individuals should do in response to the breach (for example, changing passwords and being alert for potential scams)
  6. Review the breach to improve internal procedures and prevent future breaches

Finally, remember two things and you’re less likely to go wrong. First, with IT matters, if it’s “free” you’re likely to be the mark, and second, always verify.

Want more?