IN BRIEF

Recent changes to the Privacy Act 1988 (Cth) (Privacy Act) require entities to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the new Australian Privacy Principles (APPs). This article looks at the Australian Privacy Commission's report on a privacy breach by Telstra and provides valuable insight into the Commissioner's expectations and the need for ongoing review and monitoring of compliance measures

BACKGROUND AND FINDINGS

The personal information of 15,775 Telstra customers was unlawfully disclosed when a Telstra contractor inadvertently turned off access control making the files in question accessible online from 24 February 2012 to 15 May 2013. Google's Googlebot later indexed the files and they then became discoverable through Google search.

The Commissioner found that Telstra failed to take reasonable steps to secure personal information or to destroy personal information no longer needed, and that it unlawfully disclosed personal information.

COMPLIANCE LESSONS

The investigation concerned breaches of the National Privacy Principles, now replaced by the APPs, however the Report still offers valuable insight into the Commissioner's expectations with regards to appropriate policies and procedures that may be required to comply with APP 1, and APP 11 (security). Of particular note is the Commissioner's consideration of web configuration as well as vulnerability testing and monitoring.

WEB CONFIGURATION

The Commissioner found Telstra did not properly configure its website to request search bots not to index, archive or cache data on parts of the website not intended to be publicly accessible. Google indexing meant that the files became discoverable by a greater number of people. The Commissioner stated in his May 2014 report on the own motion investigation into a similar privacy breach by Multicard Pty Ltd (Pilgrim, Timothy Multicard Pty Limited: Own motion investigation report, May 2014) that this type of configuration is a 'basic element of website security'.

The lessons here are that basic security measures must be implemented and where, available, simple measures that might reduce the extent of a breach should a security measure fail should also be utilised.

VULNERABILITY TESTING AND MONITORING

Telstra submitted that once a security measure is implemented in a secure state there is no need for ongoing testing. The Commissioner responded that:

"There is no 'set and forget' solution to security and privacy in the digital environment... what is secure at a particular point in time can become subject to vulnerability at a later date".

Pilgrim, Timothy, Telstra Corporation Limited: Own motion investigation report, March 2014

The Commissioner concluded that Telstra's failure to take reasonable steps to implement security monitoring resulted in the breach going undiscovered by Telstra for almost 15 months. The take-away from this is that entities must take reasonable steps to undertake ongoing monitoring, testing and review of their security measures.

CONCLUSION

The Commissioner's Report highlights the need for:

  • ongoing review and monitoring of privacy practices, systems and procedures - do not 'set and forget';
  • building measures into your privacy compliance framework to limit the extent of breaches (such as the web configuration measures in this case or appropriate monitoring to detect breaches, and responses to minimise their impact);
  • exercising caution in replying on industry standards alone;
  • care in selecting and monitoring contractors handling personal information, if necessary employing appropriate contractual controls and protections – their breach may be your breach.

For further information please contact:

Susan Walsh, Senior Associate
Phone: +61 2 9233 5544
Email: sjw@swaab.com.au

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.