First enforceable undertaking under new privacy laws

In brief

Optus has become the first organisation to enter into an enforceable undertaking with the Privacy Commissioner since reforms to the Privacy Act took effect in March 2014. Partner Michael Pattison and Associate Byron Frost examine the circumstances surrounding Optus's voluntary data breach notifications, the terms of the undertaking and its significance.

Background

In April 2014, Optus became aware of three privacy incidents where (in each case) more than 100,000 of its customers were affected. As a result, Optus made voluntary data breach notifications of these incidents to the Office of the Australian Information Commissioner (OAIC).

Whites Pages incident

Following a customer complaint in April 2014, Optus became aware that, due to a coding error, the names, addresses and phone numbers of 122,000 Optus customers were listed in the White Pages (both online and a majority also in the print editions) without those customers' consent.

Modem incident

For certain modems issued to Optus customers, Optus made a change where it deliberately left the management ports for those modems open, and 308,000 of those modems were then issued to customers with user default names and passwords in place. This meant that Optus customers who did not change the default user name and passwords were left vulnerable to a person to make and charge calls as though they were the Optus customer. There was no evidence that the vulnerability was actually exploited.

Voicemail incident

Due to a security flaw, some Optus customers were, for eight months, vulnerable to 'spoofing' attacks, where an unauthorised party could access a customer's voicemail account.

Terms of the undertaking

Following an eight-month investigation, the Privacy Commissioner concluded that an enforceable undertaking was the most appropriate regulatory enforcement action in the circumstances (in the most part, due to Optus's co-operation with the Commissioner and steps taken to respond to the Commissioner's concerns).² Such undertakings are enforceable by the Privacy Commissioner in the Federal Court.³

Under the terms of the undertaking, Optus is required to appoint an independent third party (referred to as an auditor) to conduct reviews of the additional security measures Optus adopted in response to the privacy incidents and its vulnerability detection processes concerning the security of personal information. The auditor will also certify that Optus has carried out:

• a privacy incident review;
• a service-level security posture assessment;
• an architecture review of Optus's principal IT systems; and
• a review of Optus's new voicemail platform.

The auditor will prepare a report (which Optus will provide to the OAIC) regarding the review and certifications, and make recommendations as to how Optus can improve its processes and systems. Optus will then develop and submit a project plan to the OAIC, for implementation of those recommendations.

Within 18 months of signing the undertaking, Optus will engage the auditor to certify that its recommendations have been implemented and that identified deficiencies have been rectified. Where Optus requires more than 18 months to implement the recommendations, the auditor will prepare an interim report at 18 months and every six months thereafter (as to compliance) until certification can be provided. Optus will provide a copy of these reports/certifications to the OAIC within 14 days of receiving it.

Lessons for organisations

The Privacy Commissioner has stated that the OAIC's focus for the next 12 months will be on 'assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements'.⁴

The decision to allow Optus to enter into an enforceable undertaking shows:

• that the Commissioner wants to work with organisations to embed privacy, rather than taking necessarily more draconian enforcement action when a data breach occurs. This is consistent with the approach identified in the OAIC's Privacy regulatory action policy.⁵ To assist organisations with 'embedding privacy' the OAIC has issued a Data breach notification guide and a Guide to securing personal information; and
• the importance of organisations engaging proactively and early with the Commissioner (as a form of mitigation) when they are faced with a data security breach that presents a real risk of serious harm to an individual. Relevantly, Optus had notified the Commissioner itself of each of the three breaches in question.

Although the Commissioner has decided, on this occasion, not to seek the award of a civil penalty against Optus, compliance with the undertaking Optus has offered is likely to be an expensive exercise. Among other things, the undertaking requires it to implement project plans that are recommended by an independent third party engaged by Optus to investigate whether Optus's practices, procedures and systems are reasonable to protect the personal information it holds.

Organisations need to consider whether the cost of voluntarily implementing appropriate security measures in the first place might be less expensive than having to fulfil plans that are effectively mandated by a third party in response to a data breach having occurred.

As this is the first enforceable undertaking accepted by the Commissioner, its content, the circumstances that led to it being accepted, and any information that is subsequently made publicly available as to Optus's compliance with its terms, will be of interest to all organisations in Australia that hold personal information.