In the case of a fraud or data security event, how do ADRs communicate with other Consumer Data Right participants, including the ACCC? Is there any obligation on the ADR in these circumstances?
While there aren’t any specific prescriptions within the CDR Rules which explicitly require ADRs to communicate the details of a data security event or fraudulent activity to participants or the ACCC, the following points may be of use:
- In the event of a data security breach, the correct notification pathway would be via the Office of the Australian Information Commissioner (OAIC), as per s56ES of the Competition and Consumer Act 2010. The ACCC and the OAIC will share information in accordance with the ACCC-OAIC CDR Memorandum of Understanding and take action as appropriate, in line with the ACCC-OAIC Compliance and Enforcement Policy for the CDR
- The CDR Rules do not currently include provisions for notification of fraud. There are a number of options available to the ACCC and its co-regulators to address fraud in the future, including:
- an amendment to the CDR Rules
- a standing request by the Accreditation Registrar requiring participants to provide notification of any instance(s) of fraud they are aware of, with wider communication of the activity being at the discretion of the Registrar
- amendments to RAAP procedures
- consultation with industry on their preferred method for providing notification of fraud within the CDR system
- The ACCC is continuing to analyse security monitoring and reporting structures, noting that architectural issues are currently being worked through, including:
- looking at appropriate mechanisms for ADRs and other CDR participants to report issues, both in CDR and in relation to wider (economy-wide and industry specific) frameworks
- documenting a process for responsible disclosure and reporting issues. This will be done in accordance with best practise guidelines as seen in the Government’s Information Security Manual. Consulting with stakeholders on this guideline is expected
- Under rule 5.14 of the CDR Rules, there is no specific obligation to provide notification to the Data Recipient Accreditor of fraud or a security data event, though the notification requirement under rule 5.14 may be triggered if there was a material change in circumstances that might affect the ability of the ADR to comply with its accreditation obligations, or alter its status as a fit and proper person
- the CDR Rules require notifiable data breaches to be reported to the OAIC. Rule 1.7(3)(c) also requires ADRs to notify the ACSC of any data security incidents, no later than 30 days after the incident. The ACSC use this for information gathering and monitoring of security incidents, but don’t currently have any processes in place to share that information with CDR participants
- if an ADR’s accreditation was revoked or suspended as a result of fraud or a security data event, notification to relevant data holders of the revocation or suspension could occur via the Register.