by John McCarthy Consulting Ltd. | Sep 9, 2018 | News
Just as we reported in a recent blog about the 154% increase in complaints to the Irish Data Protection Commission, there has been a similar but slightly larger increase of 160 per cent in complaints received by the UK Information Commissioner’s Office (ICO). The ICO received 6,281 complaints between 25 May and 3 July 2018, a 160% rise compared to the same period in 2017.
Under the General Data Protection Regulation (GDPR), companies can be fined €20 million or 4 per cent of their worldwide turnover.
Greater media attention and government advertising have boosted public awareness of their data rights and there is now a more media focus on the accountability of organisations in this area.
Accountants need to pay attention as the figures show that firms holding sensitive personal information, including financial services, education and health were the most complained about, accounting for more than a quarter of the total. The regulations have also made it easier for people to access data that organisations hold about them, leading to an increased volume of requests known as ‘data subject’ or ‘data access’ requests.
This is the first indication of the impact of the new GDPR regulation which introduced mandatory reporting of data breaches in certain cases.
To hear more about the ongoing requirements of the GDPR, come to our next CPD course, GDPR for Accountants on Tuesday 25 September 2018 in the Talbot Hotel Stillorgan, Dublin, at 9:30am until 12.30pm.
All delegates will receive a GDPR ‘Get Started Checklist’, the GDPR law itself, along with other support materials. More information and booking details: here
by John McCarthy Consulting Ltd. | Sep 9, 2018 | News
When you consider the volume of data that an accountancy firm or an individual practitioner possesses, you can understand why they have become an attractive target for hackers.
Accountants are regarded as custodians of people’s most sensitive information. It’s everything about them and their family. And there’s an expectation that every appropriate measure is being taken to safeguard that information according to best practice.
One tax return alone includes the name and PPS numbers of a taxpayer, spouse, and dependent children. Clients’ files include addresses, phone numbers, and bank account numbers.
Banks may have a lot of similar information, but they often have sophisticated cybersecurity controls because they are so heavily regulated. And many times, an accountancy firm’s valuable data are held by small firms or solo practitioners who may lack resources or expertise for setting up and maintaining the latest cyber controls However, size alone does not absolve them from the responsibility to put substantial effort into guarding their systems and data.
An increased risk factor is that the Accountancy Regulatory bodies do not currently include data protection in their inspection visits to firms, leaving it up to the Data Protection Commission, so firm’s may be severely lacking an up to date means of benchmarking themselves against best practice.
It may be helpful to understand the types of scams that hackers are perpetrating which include:
- Ransomware. Hackers can install software that blocks access to your system, crippling your firm’s ability to do work for clients. Upon payment of a ransom in bitcoin, the hacker will restore your system’s capabilities. Ransomware has grown in popularity with hackers because each successful individual attack can force payment of a large sum. Perpetrators with limited technological knowledge can even purchase “ransomware-as-a- service” and unleash it on potential victims. It’s obviously of extreme importance that firms have a stringently enforced habit of backing up their servers daily, which in the case of at least one US firm, helped ward off two ransomware attacks.
- ACH (Automated Clearing House) fraud. Thieves who manage to steal a current account number and a client’s banking details can use this information to steal money directly from victims’ bank accounts, or to route money in various other ways. This information also can be used to commit other crimes.
- Credit card theft. Hackers can use a stolen credit card number to make purchases, or they can use an identity that they have stolen to open new credit cards to be used for purchases. Sophisticated detection systems used by credit card companies have limited the effectiveness of these schemes in recent years.
To hear more about the ongoing requirements of the GDPR, come to our next CPD course, GDPR for Accountants on Tuesday 25 September 2018 in the Talbot Hotel Stillorgan, Dublin, at 9:30am until 12.30pm.
All delegates will receive a GDPR ‘Get Started Checklist’, the GDPR law itself, along with other support materials. More information and booking details: here
by John McCarthy Consulting Ltd. | Aug 3, 2018 | News
In the two months since the implementation of the new EU General Data Protection Regulation, which came into force on the 25th May, there has been a dramatic increase in the number of data breaches reported to the Data Protection Commission.
A recent news article revealed that there have been 1,184 reports of data breaches received by the Data Protection Commission since 25 May 2018. Of the data breaches received, the new GDPR regulation applied in 953 cases.
These figures mark a 154% increase in the monthly average number of data breaches reported in 2017 and a 69% increase in the number of complaints received. See charts below.
This is the first indication of the impact of the new GDPR regulation which introduced mandatory reporting of data breaches in certain cases.
To hear more about the ongoing requirements of the GDPR, come to our next CPD course, GDPR for Accountants on Tuesday 25 September 2018 in the Talbot Hotel Stillorgan, Dublin, at 9:30am until 12.30pm.
All delegates will receive a GDPR ‘Get Started Checklist’, the GDPR law itself, along with other support materials. More information and booking details: here
by John McCarthy Consulting Ltd. | Jul 27, 2018 | News
In a recent sanction by the Central Bank, attention is being drawn to the fact that anti-money laundering (AML) training needs to be focused, specific and ongoing. In the sanction report, a financial services firm was fined €443,000 in June 2018 for failures that included lack of appropriate AML training.
The sanctions report reads: ‘it had inadequate policies and procedures to monitor transactions, detect and report money laundering and provide its staff with appropriate training’.
In addition, the Central Bank found that the company:
- failed in many areas to provide the appropriate amount, level, and accuracy of training for its staff;
- training was not focused on the specific roles and responsibilities of staff (especially at Money Laundering Reporting Officer (MLRO) level;
- training did not amount to a sufficient amount of time to train them on how to identify suspicious activity;
- the entity failed to provide training to all client facing staff; and
- there was a failure to ensure staff were instructed on AML and counter financing of terrorism (CFT)-related law, and a failure to provide ongoing training.
From 15 July 2010 to 10 September 2012, the firm breached section 54(6) of the Criminal Justice (Money Laundering and Terrorist Financing) Act, 2010, because it failed to train anyone involved in the conduct of its business in AML/CFT law or provide on-going instruction on identifying suspicious activity.
Over a three-year period, the firm had held one-hour annual AML/CFT training session for staff. The Central Bank stated the ‘training was sufficient to introduce staff to AML/CFT law but in further breach of section 54(6), it was insufficient to train them to identify suspicious activity. In addition, the scope of the training was not tailored to specific roles, including the Firm’s MLRO’.
To hear more about the AML requirements that must be applied by accounting firms, including a suggested spreadsheet to control all the main topics, come to our next AML seminar on Tuesday 25 September 2018 at the Talbot Hotel Stillorgan, County Dublin.
Booking is here via our website. Cost is €105 per delegate or €280 for three delegates from the same office.
by John McCarthy Consulting Ltd. | Jul 18, 2018 | News
The General Data Protection Regulation (GDPR) finally took effect at the end of May across the EU. Many organisations are still struggling with the amount of changes and work required. A recent survey carried out by the UK branch of the Institute of Chartered Secretaries and Administrators (ICSA) revealed that only half of those interviewed were ‘fully compliant’ on the enforcement date of 25 May, with roughly a quarter (27%) not fully compliant and the rest (23%) unsure.
One suspects that a similar response would be found in Ireland if such a survey were conducted here.
Some of the views reflected in the survey were:
• Compliance is continuous, firms find it challenging to be 100% compliant at all times;
• Basics are easier to put in place, but additional processing is essential;
• Lack of clarity on some of the rules and requirements was a problem as some guidance was only finalised in the weeks
leading up to the GDPR enforcement date on 25 May, which caused plans to be delayed or changed for many organisations; and
• A lot of training and awareness was needed to decrease anxiety among staff who feared doing something wrong.
GDPR is undoubtedly a major challenge for most organisations. We are providing readers of this blog with a free checklist of questions which are intended to help you assess how well your data security and usage controls compare to the GDPR requirements and help identify areas for improvement. Checklist available here
To hear more about the ongoing requirements of the GDPR, come to our next CPD course, GDPR for Accountants on Tuesday 25 September 2018 in the Talbot Hotel Stillorgan, Dublin, at 9:30am.
All delegates will receive a GDPR get started checklist, the GDPR law itself, along with other support materials.
More information and booking details: here
Watch for our forthcoming GDPR Data Protection Procedures Manual coming soon.
