The latest decision of the Australian Privacy Commissioner should serve as a strong warning to entities to assess the effectiveness of their information security systems or otherwise risk being the sacrificial lamb if caught by the amended privacy laws from 12 March 2014.
In response to media reports that servers holding the personal information of customers of AAPT Pty Ltd (AAPT) had been subject to unauthorised access and transfer by the hacker group 'Anonymous', the Australian Privacy Commissioner opened a motion investigation into AAPT.
AAPT's customers personal information was held on a server managed and operated by a business unit of Melbourne IT (WebCentral). On becoming aware of the incident, WebCentral notified AAPT and immediate steps were taken to ensure that no further customer personal information was compromised.
The personal information that was subject to unauthorised access and use comprised both current and out of date or unnecessary personal information. The Commissioner also found that data existed on the server which was no longer in use and AAPT should have taken steps to destroy or de-identify this information.
'Anonymous' were able to obtain the unauthorised access by exploiting vulnerability in the application 'Cold Fusion' (Cold Fusion) installed on the server. Even though the applications security patches were up to date, the version of this software was not. Importantly, it was noted that the newer version of Cold Fusion may have prevented the unauthorised access and use by 'Anonymous'.
As part of the investigation, the contract between WebCentral and AAPT for the server services entered into on or around 2005 was considered by the Commissioner. Interestingly, the contract did not require:
- The data on the server be appropriately assessed and classified to determine whether it included personal information or the sensitivity of that information;
- Existing or emerging security risks in connection with the Cold Fusion application to be identified or addressed; and
- Vulnerability scanning and effective lifecycle management of the Cold Fusion application to occur.
Further, it was not clear:
- That AAPT was aware of what personal information was contained on the server;
- What Cold Fusion applications were installed and which part of this server these applications were related to; and
- Who was responsible for the maintenance and lifecycle of management of the Cold Fusion application.
Did AAPT or WebCentral hold the personal information?
The meaning of 'hold' extends beyond physical possession to also include a right or power to deal with the personal information. In this regard, the fact that AAPT customers' personal information was stored on WebCentral's server was irrelevant. Accordingly, AAPT was deemed to hold the personal information itself.
Did AAPT take reasonable steps to secure its customers personal information?
In light of the above facts, the Commissioner found that AAPT had not taken reasonable steps to secure its customers' personal information.
The Commissioner's decision means that those entities which hold, collect, use, handle and secure personal information should review their existing practices and procedures to ensure compliance with the current and upcoming amended privacy law with its harsher penalties.
Some issues for you to consider include:
- Are you aware of what personal information may be contained on servers that you and/or an external third party operate and manage?
- Are your ICT systems and security patches up to date?
- Are you using the most recent version of your security software?
- What vulnerabilities can your existing security software detect?
- Will you be notified by your systems if unauthorised access or use occurs?
- Do you know the nature of the terms and conditions previously agreed with your service provider? Is your service provider's server based in Australia or overseas? Does your contract oblige you to maintain the application?
- What procedures do you employ when you de-identify or destroy personal information?
- Is out of date or unnecessary personal information currently being held by you or a third party?
- Have you reviewed your contracts that are 'on foot' and will continue to be when the amended privacy law commences?
- When did you last conduct a privacy training session for your employees?
- What risk mitigation procedures have you agreed with your service provider if a privacy breach occurs?
Implications of the Commissioner's Decision
An investigation by the Commissioner into an entity's data security practices and procedures may lead to an investigation of all of the entity's privacy practices and procedures.
Breaches of privacy obligations may have significant financial implications for entities under the new privacy regime. Although the existing law does permit the Commissioner to impose any penalties or seek enforceable undertakings, the new privacy law gives the Commissioner the power to impose penalties for a serious breach or repeated interferences with the privacy of an individual and seek enforceable undertakings from entities (among others).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.