Increasing in this digitalised world, where the convenience of online and near instantaneous financial transactions is being demanded by consumers, the trust between consumers and businesses is being tested more than ever before in the protection of personal information in those transactions.
Not surprisingly, the protection of such personal information by businesses comes at a cost - both to the business themselves and ultimately to the consumer. These data protection costs are likely to keep escalating given the number and frequency of sophisticated cyber attacks such as those we have reported previously 1,2 including the
The question is at what price are consumers willing to pay, and demand of businesses, to ensure a 'reasonable' level of protection of personal information.
Available Protections under the Privacy Act
In the case of an 'eligible' data breach, for the unauthorised access and disclosure of personal information or loss of personal information that is likely to result in serious harm to individuals, individuals are protected under APP 11.1 and section 26WH (2) of the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).
APP 11.1 declares that any APP entity must take 'reasonable steps' to protect personal information from misuse, interference, and loss, as well as from unauthorised access, modification or disclosure. Additionally, section 26WH (2) of the Privacy Act states that an entity must conduct reasonable and efficient assessment of whether there are reasonable grounds to believe the relevant circumstances amount to an eligible data breach. Furthermore, after the entity becomes aware of the potential breach, they must take all reasonable steps to ensure that the assessment of the breach is completed within 30 days.
This leads to the vexed question of what 'reasonable steps' might mean in circumstances where the size of the entity, types of information stored, and the technological measures used to protect data, differ across sectors. Given the uncertainty and lack of jurisprudence on how 'reasonable steps' should be interpreted, much needed guidance is needed to provide greater assurance to consumers and to assist businesses understand what cyber-security measures are needed to remain compliant with the law. The
The Medibank Data Breach
Under the Federal Court proceedings, the OAIC has alleged that
The OAIC has just published a redacted version of a Concise Statement in respect to the civil penalty enforcement action in the Federal Court against
What we know so far from the Concise Statement is that in
The Concise Statement suggests what steps the OAIC considers
The Concise Statement alleges that
The Commissioner alleges that
- MFA for access to its Global Protect VPN;
- Additional MFA authentication for sensitive or critical information assets within its network perimeter;
- Proper change management controls;
- Appropriate privilege access management control including "least privileges necessary" and regular review of access, revoking dormant accounts and users;
- Appropriate monitoring for privileged accounts to understand normal behaviour and alerts for unusual or suspicious account activity;
- Appropriate password complexity;
- Monitoring password monitoring and review processes so that passwords were encrypted, undertaking regular password usage audits and security assessments of tools used to access or query important data sets;
- Proper security monitoring processes to detect and respond to security incidents in a timely manner, including review of all security alerts, clearly documented guidance and procedures for escalating security alerts, regularly reviewing work of first level alert review team, and configuring volumetric alerts for large or abnormal volumes of data;
- Appropriate security assurance testing, including annual penetration testing, internal audits, and internal control effectiveness testing;
- Proper application controls for critical servers; and
- Effective contractor assurance, including regular audits, inspections or testing for compliance and ensuring clarity in the terms of contractor agreements and that the roles and responsibilities are clear where responsibilities for implementing, or assisting with the implementation of, security controls are outsourced.
Although the trial date is yet to be set down, the Concise Statement provides useful guidance in what the OAIC considers to be those 'reasonable steps' needed to be taken by a business such as
This has become all the more important since the implementation of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) in
- Three times the value of any benefit obtained through the contravention
- If the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period'.
Footnotes
1 https://www.bennettphilp.com.au/blog/proposed-reforms-privacy-act-1988
2 https://www.bennettphilp.com.au/blog/privacy-spotlight
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
Bennett & Philp Lawyers
Level 13,
4000
Tel: 73001 2999
Fax: 73001 2989
E-mail: MEvans@bennettphilp.com.au
URL: www.bennettphilp.com.au
© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source