By Toby Blyth, Peter Moran and Shannon Blain, Colin Biggers & Paisley
The protection of personal information is vital in the real estate industry.
The volume of personal information exchanged and its value (for both legitimate and illegitimate purposes), coupled with the use of smart devices and the proptech revolution, has undoubtedly benefited agencies, but it’s also made them more attractive targets for cyber attacks.
The misuse, loss or unlawful disclosure of personal information has severe consequences. So, do you know your obligations regarding integrity and confidentiality under data protection laws?
Privacy protection
The Australian Privacy Principles determine how organisations must handle, use and manage personal information. But what is "personal information"?
The Privacy Act defines it as “information or an opinion about an identified individual, or an individual who is reasonably identifiable.” This may include a person’s name, address, telephone number or bank account details. Sensitive information – such as a person’s race or religion – is afforded even greater protection.
Given the pace an complexity of the cyber space and pervasive nature of technology, cyber liability insurance is a necessary safeguard for your agency to transact securely with your clients.
A data breach is when information is compromised and has or is likely to result in serious harm to an individual. Given its potential to ruin your agency's reputation, it's no wonder businesses have kept quiet about breaches in the past. Why would you report a hack when you have so much to lose?
But with the introduction of the Notifiable Data Breaches Scheme on 22 February 2018, businesses now have no choice but to report cyber breaches to the Office of the Australian Information Commissioner (OAIC). Failure to notify a breach may result in enforcement action by the OAIC. Where there’s serious or repeated interference, civil penalties may also apply under the Crimes Act 1914 (Cth). Agents may also be liable under general law (such as contract, tort or consumer law) for certain breaches.
If you think it all sounds quite serious, you’re right. It is serious. Very serious.
It could happen to you
Since the start of the Notifiable Data Breaches Scheme, the OAIC has received 305 notifications. In the last quarter alone, 89 per cent of the breaches notified involved the contact information of individuals.
One of the biggest cyber security issues faced by agencies is the threat of phishing attacks. Real estate agents are often targeted because of the high value of personal information held about sellers, buyers, landlords, tenants and other prospects.
In a recent cyber attack, an employee of an agency in Perth discovered an unauthorised trust account withdrawal of $500,000. Fortunately, they reported the incident to the bank before any of the money was collected by the cyber attackers. In this instance, the attackers used malware downloaded to the agency computer system to record keystrokes, ultimately revealing bank login details and passwords. The malware was likely downloaded because someone at the agency opened an attachment on a phishing email or clicked on a website link.
This attack, like many others over the last few years, underlines why agencies not only need to have measures in place to mitigate the risk of data breaches, but also have response procedures to follow up in the event a breach occurs