Focus: Privacy Commissioner reports on Telstra data breaches
9 July 2012
In brief: The Australian Privacy Commissioner has released a report into Telstra having breached customer privacy in 2011. Partner Michael Pattison and Lawyer Margaret Walsh report on the Privacy Commissioner's findings, Telstra's response to the data breaches, and what the matter can teach us about taking 'reasonable steps' to comply with the national privacy regime.
How does it affect you?
- The investigation launched by the Australian Privacy Commissioner (the Commissioner) on its own motion, taken together with a recent determination requiring a company to pay damages (see our earlier Focus: A newly determined Privacy Commissioner), demonstrate that the Commissioner is continuing to take a tougher approach to enforcing privacy obligations than previously.
- In light of this tougher approach, organisations should ensure that their privacy practices and procedures comply with their legal obligations.
- Organisations should ensure that they have practices and procedures in place
to deal with data breaches, including:
- carrying out privacy impact assessments at the start of new projects;
- ensuring that the right team is in place to deal with data breaches; and
- where appropriate, notifying relevant stakeholders of a data breach.
- The report confirms that simply putting data security policies and procedures in place will not be considered 'reasonable steps' for the purpose of National Privacy Principle (NPP) 4; organisations must be able to show actual compliance with such policies.
- The report also confirms that the Commissioner consider that an inadvertent release of information constitutes a disclosure for the purpose of NPP 2, and so will breach NPP 2 if it is unauthorised.
Between July 2011 and October 2011, and again in December 2011, a web-based customer management tool Telstra used to manage customer orders (referred to by the Commissioner as the visibility tool) was inadvertently made publicly available. The visibility tool contained a large amount of personal information relating to 734,000 customers.
On becoming aware of the data breach, Telstra took steps to address it and notified the relevant parties. The Commissioner then launched an investigation into the breach. Although the investigation ceased after Telstra committed to a remediation plan, the Commissioner released a report on 29 June 2012 in which it found that Telstra had breached NPP 2 and NPP 4. The Commissioner also requested that Telstra provide it with a report on the progress of the remediation plan by October 2012 and a report of its completion by April 2013.
Following an investigation into the incident, Telstra concluded that the breach was caused by a number of errors, including that:
- at its commencement, the project was incorrectly categorised as one that did not involve any personal information and as such, further security controls were not put in place;
- multiple employees were aware of the data breach but failed to report it to Telstra management; and
- the visibility tool became publicly available again in December 2011 after a software restoration inadvertently removed security protections.
On becoming aware of the breach, Telstra responded by:
- removing public access to the visibility tool;
- disabling other platforms where personal information was required to gain access (such as online billing) until it was confirmed that they were secure;
- promptly notifying the Office of the Australian Information Commissioner (OAIC) and Telecommunications Industry Ombudsman of the breach;
- investigating the cause of the breach;
- resetting the passwords of 73,000 customers;
- determining what types of personal information were made available by access to the visibility tool; and
- notifying potentially affected customers by phone, SMS, email or direct mail.
Telstra also committed to undertake remedial actions, including:
- reviewing and improving privacy compliance training programs (including implementing new internal training regarding the completion of privacy compliance questionnaires); and
- changing its systems such that the Chief Privacy Officer will be involved in the management of future incidents concerning privacy and will, after undertaking a risk assessment, notify the OAIC of such incidents, if appropriate.
The Commissioner's investigation and report focused on determining whether the data breach represented a breach by Telstra of NPP 2 (in particular, NPP 2.1 that requires an organisation only use or disclose personal information for the primary purpose for which it was collected) or NPP 4 (in particular, NPP 4.1 that requires an organisation take reasonable steps to protect personal information it holds).
In relation to NPP 2, the Commissioner found that the public availability of the visibility tool represented a disclosure of the personal information accessible through it and that such disclosure was in breach of NPP 2.
In relation to NPP 4, the Commissioner found that Telstra breached it by not taking reasonable steps to protect the personal information it held. In considering what constitutes 'reasonable steps', the Commissioner noted that organisations should consider:
- taking steps to indentify security risks to personal information, and developing policies to reduce such risks;
- providing data security training for staff; and
- monitoring compliance with security policies on an ongoing basis.
Importantly, the Commissioner noted that establishing data security policies and procedures will not be sufficient to avoid a breach of NPP 4 unless the organisation, in fact, acts on them.
The Commissioner stated that Telstra took appropriate steps to investigate and contain the breach and notify customers once it occurred.
The steps referred to above accordingly provide some good examples of the measures that a company could take in response to a breach.
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Michael MorrisPartner,
Ph: +61 7 3334 3279
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.