Consumer Data Rights: What Are Your Obligations?

Next steps in the Consumer Data Right regime as the ACCC launches the guidelines for accredited data recipients.

In another step closer to the open banking regime, the ACCC launched the Consumer Data Right Register and Accreditation Application Platform (RAAP) and the Consumer Data Right Participant Portal, enabling businesses to apply to become Accredited Data Recipients. Sharing of banking data securely between major banks and Accredited Data Recipients will commence on 1 July 2020.

To receive CDR data under the regime, individuals and businesses will need to become accredited.

Two of the key obligations for accreditation are:

1. Information Security

Information security is critical to the success of the CDR regime and the regulator’s focus is on building consumer confidence in the security and integrity of the CDR ecosystem.

The Competition and Consumer Act 2010 (Cth) Act and CDR Rules contain a number of privacy safeguards to increase the protection of a consumer’s data. The accredited person has an obligation to protect data from:

(i) misuse, interference, loss

(ii) unauthorised access, modification or disclosure

The Rules require the accredited person to formally establish and implement security governance in relation to CDR data. This involves establishing an information security governance framework in setting out the policies, procedures, roles and responsibilities required to facilitate the oversight and management of CDR data.

While the rules don’t mandate a security standard, businesses can utilise existing frameworks such as IS0 27001, NIST, CPS234 and PCI DSS, in developing their information security governance framework and defining security areas.

It is important to note that when services are provided by an outsourced service provider, the accredited person may be liable for the use or disclosure of CDR data by outsourced service providers, or certain other recipients of that data under the CDR rules.

An accredited person must also assess the security controls of the outsourced service provider when fulfilling their information security obligation.

2. Insurance

Insurance is the obligation for accreditation. This requires an accredited person to have adequate insurance, in light of the risk of CDR consumers not being properly compensated for any loss that might reasonably be expected to arise from a breach of any laws relevant to the management of CDR data.

The Accreditation Guidelines don’t prescribe the insurance product types that must be obtained to meet the insurance obligation, but two products that would fulfil this obligation are:

1. Professional Indemnity; and

2. Cyber Insurance

Professional indemnity is designed to compensate third parties for civil liability arising out of the provision of professional services. Simply put, businesses have a professional duty to protect customer data and if it fails to put adequate security controls in place to protect the data and it is stolen and misused, resulting in a loss to customers, they have a right to be compensated.

Cyber insurance provides cover for (amongst other things) certain liabilities to third parties arising out of cyber incidents. For example, the organisation is the victim of a malicious cyber attack resulting in a theft of personal data. The cyber policy will compensate the third party for any losses they suffer as a result of their data being stolen.

It is up to the accredited person to determine the adequacy of cover.

CyberWorqs and CMX Insurance Solutions, have teamed up to assist fintechs, superannuation funds and any other organisations who are applying for accreditation with their information security and insurance obligations.

CMX Insurance specialises in insurance solutions for the financial services sector and have negotiated competitive rates with CyberWorqs that will help businesses meet their governance obligations.

Contact us today on 1300 020 148