- Have you undertaken a privacy risk assessment?
- Does some of the personal data you collect include sensitive information?
- Could some of the data have potentially serious adverse consequence if misused?
- Do all your employees understand the privacy requirements and the significance of breaches?
- Do you routinely test your security and control settings?
- Privacy is important, and breaches will be taken seriously. The attitude that Telstra displayed towards managing privacy is not uncommon. Don't you get it wrong. One day before the new privacy principles were to come into force across Australia, the Office of the Information Commissioner let out a bombshell. Telstra, for the second time in 2 years, has breached privacy laws- this time, undermining the privacy of around 15, 775 customers. Both the Office of the Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) found that "between February 2012 and May 2013, the information of 15,775 Telstra customers from 2009 and earlier was accessible on the internet. This included the information of 1,257 active silent line customers."
What Did Telstra Breach?Telstra, like all organisations that fall within the scope of the Privacy Act, has a responsibility to take reasonable steps to protect customer information from misuse, loss, unauthorised access, modification or disclosure (National Privacy Principle 4.1). This requirement is mirrored under clause 4.6.3 of the Telecommunications Consumer Protections Code which Telstra, as a telecommunications body, is also bound to follow. Breach of this clause is discussed in relation to the ACMA further in this article.
How did Telstra Breach NPP 4.1 and Clause 4.6.3?Telstra kept spreadsheet files that contained personal information about their clients. These files were hosted by a third party service provider who worked with Telstra. Telstra then requested them to extend their access control to include certain authorised parties. But in doing this, the third party provider inadvertently removed access control altogether, which made these files publicly available online. When Google later indexed this file, it became discoverable under a simple Google search! The full names, addresses and phone numbers of over 15, 000 customers were compromised and Telstra identifies that there were at least 116 downloads of this information. Telstra quickly and competently addressed the situation. But - this is not the first time that this company has compromised private information: in December 2011, on the same host platform, the personal information of staggering 734,000 customers were leaked online.
Assessment of Telstra's Adherence to NPP 4.1NPP 4.1 (now APP 11) requires Telstra to take reasonable steps to protect its clients' personal information from misuse, loss, unauthorised access, modification or disclosure. This meant that the Commissioner had to consider what safeguards Telstra had had in place before the data breach and what steps Telstra should have taken to mitigate the damage given the kind of information Telstra was handling, the environment Telstra was working under, security processes, industry practice, and more. Telstra had believed that the data breach was of "low risk from a privacy perspective" as it only divulged names, phone numbers and addresses. However, the Commissioner disagreed, particularly because of the 1, 257 customers with private numbers and silent lines. Does some of the personal data you collect include sensitive information, or could it have potentially serious adverse consequence if misused? Are you protecting and securing the data accordingly? In addition, Telstra should have been aware of the high risk of privacy breach after the first data breaches in 2011. At that time Telstra implemented a thorough deconstruction and reconstruction of their privacy procedures and processes. The Commissioner felt that, as a result of this, Telstra should have taken more steps to protect personal information. Have you reviewed the risk of a privacy breach in your business? Furthermore, processes that Telstra had already implemented were simply not followed by all parties. This was a "key contributing factor" to the breach. Do all your employees understand the significance of privacy breaches and are they fully aware of their obligations under the Act? Telstra believed that once a process (such as an access control) is implemented securely, "there is no need to undertake on-going testing". However the Commissioner reinforced that there is no 'set and forget' solution to privacy and security in a digital environment. The digital world is constantly changing, evolving and updating. Simply because a process is secure at one point in time does not mean that it is secure indefinitely. Do you routinely test your security and control settings? Telstra stated to the OAIC that it had, in essence, complied with industry practice for testing software as a service. But the Commissioner firmly stated that "adherence to industry practice is not, in and of itself, an alternative to an entity meeting its regulatory and legal obligations. If an entity engages in what it considers to be industry practice, and that practice falls short of the requirements of the Privacy Act, the Commissioner may consider that entity non-compliant." Luckily, the OAIC's investigation on Telstra concluded before the release of the new APP principles. This means that Telstra narrowly avoided potential penalties that it could have incurred at the Privacy Commissioner's discretion. This could have been anything from a legally enforceable undertaking to, in the cases of serious or repeated breaches, monetary fines up to $1.7 million. However, Telstra was found by the ACMA to contravene their earlier Direction to Comply to Clause 4.6.3 of the Telecommunications Consumer Protection Code (TCP Code), and was thus issued an infringement notice of $10,200. This shows us that there can be implications even beyond the Privacy Act for breaches of privacy or for failing to have proper systems and security measures in place. Although Telstra did not have to pay monetary fines to the OAIC on this occasion, the investigation report by both ACMA and the OAIC are publicly listed on their websites for anyone to see, and a media release has been made in relation to the incident. Privacy Commissioner Timothy Pilgrim advised that "This incident [was] a timely reminder to all organisations that they should prioritise privacy. All entities bound by the Privacy Act must have in place security measures to protect personal information." From 2012-2013 the OAIC received 10, 576 privacy enquires and 1496 complaints. Already, this financial year has seen a 30% increase in complaints. Privacy is important. Privacy will be taken seriously. Don't get it wrong.