Sometimes even the 'big guns' - companies with many, many years of experience under their holsters- can fall foul of privacy regulations. They then stand as a testament to the importance of privacy compliance and the necessity of implementing adequate procedures and policies to satisfy the intricate legislative requirements of privacy law. Recently, the Office of the Australian Information Commissioner (OAIC) published an 'own motion' report featured on their website which informed readers that a prominent Australian telecommunications company had breached the Privacy Act. AAPT Ltd had been the victim of unauthorised access by a hacker group known as Anonymous. Although they were the victim, the company itself was found to be in the wrong: it had failed to meet its requirements under the National Privacy Principles ( NPP), which had obligated it to take reasonable steps to protect and secure customer information and destroy/de-identify information that was no longer in use.
CASE STUDY: AAPT LTD
Earlier in the year, the Commissioner had received reports which indicated that AAPT's server had been compromised by a hacker group known as Anonymous, who had then exposed and published personal client data (including credit report information) on the internet. Though AAPT immediately took steps to ensure that no further information could be exploited, the fact that their records had been attacked at all made them vulnerable to a claim that they had not taken appropriate measures to protect this data in the first place. This obligation relating to the use and misuse of personal information is detailed in the National Privacy Principles that a majority of private sector organisations must comply with. Specifically, NNP 4 (Data security) and NNP 2 (Use and disclosure) require organisations to:
- take reasonable steps to protect personal information from unauthorised access/disclosure; and
- to take reasonable steps to destroy or permanently de-identify such information that is no longer in use;
Security of Personal Information
It was AAPT's responsibility to ensure that any and all applications that they utilised to manage personal information be regularly updated. However, the program that AAPT used had several newer versions available with security features that could have prevented this very attack. Indeed, the version used by AAPT was seven years old! Further, the contractual agreement between AAPT and their IT consultant (who managed the server) did not contain adequate measures to protect personal information, and it was not clear that AAPT was even aware of what personal information was being held on this server, let alone who was responsible for the use and update of applications that managed it. In consideration of these factors, the Commissioner came to the view that AAPT had breached this first obligation (NPP 4.1).
Destruction/ De-identification of Information
It was confirmed that not all of the compromised data had been in use by AAPT at the time of the hack. NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information when it is not in use. Though AAPT had policies that outlined their data retention scheme, the Commissioner was of the view that there was "low awareness of data retention requirements" amongst employees and these policies were, in any case, not being followed by the staff involved with the compromised data. Therefore, it was held that AAPT was in contravention of this requirement (NPP 4.2) as well. Mr Timothy Pilgrim (our Information Commissioner) appreciated the speed with which AAPT Ltd responded to its breach, but nonetheless made both the media release and the motion report publicly available on the OAIC website to serve as a message to other companies to not "needlessly" place themselves in "a position of risk" by holding onto old information that is no longer in use. There are significant lessons in this case study for all of us. Most importantly, it is possible to inadvertently breach the law by not actively managing privacy policies and simply assuming that all staff are sufficiently informed about them. And an equally important consequence of breaching the law is that your company will likely be publicly named on the OAIC website. Do not hesitate to contact Certex at any time to ensure that your policies can withstand the force of the law.