Scintilla – a flash, a spark, an iota. Shorthand for creativity and an indicator of inventiveness under Australian law.






Friday, August 15, 2014

Protecting personal information online – a review of recent investigations by the Privacy Commissioner

By Tracy Lu, Associate

Since the beginning of the year, the Privacy Commissioner has released three investigation reports into the practices of three Australian businesses relating to the electronic storage and inadvertent disclosure of personal information. This post takes a quick look at each of these cases.

Cupid Media

 
In June 2014, the Commissioner found that online dating agency Cupid Media Pty Ltd had breached the National Privacy Principles (which were applicable prior to the March 2014 amendments to the Privacy Act 1988 (Cth)) by failing to take reasonable steps to secure personal information it held, failing to take reasonable steps to destroy or permanently de-identify information it no longer uses or needs, and disclosing such information for an unauthorised purpose. The potential implications of the breach were serious, with an estimated 254,000 Australian users affected, who not only left their hearts vulnerable by making use of Cupid's services but also inadvertently left their personal information vulnerable to hackers.
 
While Cupid did not handle any credit card or bank account data, it did handle other 'sensitive information' in its offering of dating services based on racial, religious or sexual references and therefore this imposed a more stringent requirement on Cupid to keep the information secure than other organisations which did not handle sensitive information. In particular, the Commissioner found Cupid's failure to adopt a simple measure of encrypting stored passwords to be a failure to take reasonable security steps. Since the breach however, the Commissioner found that Cupid had acted appropriately by taking an extensive remediation program and the investigation was accordingly closed.

 

Multicard

 
 
In May 2014, the Commissioner found that Multicard Pty Ltd, a business which issues the Maritime Security Identity Card that identifies holders as having passed certain minimum security requirements, had breached the National Privacy Principles by failing to take reasonable steps to secure personal information it held and disclosing such information for an unauthorised purpose.

Multicard had stored information about card applicants in an 'uploads' folder on a publicly accessible web server. Access to the uploads folder was not restricted to authorised users as it did not require a password, username or other authenticator, directory browsing of the folder was not disabled and, further, no cryptographic protocol was applied.

The Commissioner, in its report, expressed concern with Multicard's conduct of its own investigation and requested an independent auditor engaged by Multicard to certify by 30 June 2014 that appropriate remediation steps had been taken.
 

Telstra

 
This investigation was reported in early March 2014 immediately prior to the new amendments coming into effect and related to Telstra's breach of the National Privacy Principles by failing to take reasonable steps to secure personal information it held, failing to take reasonable steps to destroy or permanently de-identify information it no longer uses or needs, and disclosing such information for an unauthorised purpose.
 
Specifically, the Commissioner found that Telstra had made personal information publicly accessible online for 14 months (and discoverable via a Google search for almost 11 months), had no systems in place to identify personal information that it no longer used or needed, and was aware of 166 unique downloads of the relevant files by IP addresses not associated with Telstra. Interestingly, the Commissioner also noted that compliance with industry practice (which Telstra claimed that it did, in respect of its Software as a Service testing) does not absolve an entity of liability where the industry practice was itself inadequate to meet regulatory and legal requirements.
 
The Commissioner requested Telstra, among other things, to engage an independent auditor to certify by 30 June 2014 that Telstra has implemented the planned rectification.

 

What's the risk?

 
 
Be mindful that the revamped Privacy Act has more teeth in respect of breaches. In particular: 
  • Complainants or the Privacy Commissioner, as before, can enforce the Privacy Commissioner's determinations in the Federal Court.
  • Injunctions, as before, are available to restrain any contravention of the Privacy Act.
  • The Privacy Commissioner may now extract and accept written undertakings from a person and enforce such undertakings in the Federal Court.
  • There are now significant monetary penalties (up to $1.7 million) for a 'serious' or repeated interference with the privacy of an individual.

Conclusion

 
Appropriate measures for controlling privacy breach risk, and rectifying breaches if they occur, should be part of all business planning. The measures may be simple and part of standard (but no less effective) operating procedures. Just don't let that mean they are overlooked – the enforcement powers of the Privacy Commissioner are now substantial.

No comments:

Post a Comment