12 June 2012


In my crueller moments I've compared action by the national Privacy Commissioner to being savaged - oh, the horror - by a toothless and arthritic sheep. A ferocious watchdog the Commissioner is not.

Last year there were reports that unsophisticated hacking of First State Super, a major superannuation funds service, had potentially exposed information regarding some 770,000 people ... enough, one would think, for some serious attention in a world where people are increasingly experiencing data breach fatigue. (The past weeks have seen claims of large-scale breaches involving the Linked-In and eHarmony social network services and Last.fm). The personal data included member names and addresses, details of superannuation account transactions and balances and the member’s current age.

The Privacy Commissioner initiated an own-motion investigation of the First State breach and has now published a report on that examination. It is, alas, depressing reading.

The Commissioner indicates that
On the basis of the information available to the Commissioner, he formed the view that the incident was not a disclosure in breach of NPP 2.1. However, he considered that, at the time of the incident, FSS had not taken reasonable steps to put in place security measures to protect the personal information it held in the member area of its online system. For this reason, the Commissioner formed the view that, at the time of the incident, FSS was in breach of NPP 4.1. 
The Commissioner acknowledges that upon becoming aware of this matter, FSS’s administrative manager, Pillar and FSS itself acted immediately to contain the incident, commenced an internal investigation of the incident, reviewed data security practices and sought external advice on how to handle the situation. Many of these steps are recommended by the OAIC in its Data breach notification guide.  Consequently, the Commissioner ceased his own motion investigation into this matter, on the basis that the response to this incident appears adequate in the circumstances.  The Commissioner’s file on the matter is now closed. 
The OAIC has not received any individual complaints in relation to this matter. 
The OAIC has advised FSS that should individual complaints be received about this matter, each complaint will be considered and information gathered as part of this investigation will be taken into account in any subsequent investigation.
And that, it seems, is that.

In the UK, where they do things differently - and the Commissioner's counterpart has more legislative teeth (and arguably a less laissez-faire attitude) - the Information Commissioner has been imposing financial penalties for smaller breaches. In the US it has become increasingly common to encounter penalties and settlements of several hundred thousand dollars, with this month for example being marked by a US$775,000 settlement by South Shore Hospital after investigation by the Massachusetts Attorney General’s Office over allegations that the hospital failed to protect the health information of over 800,000 consumers.

In thinking about the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) currently before the Australian Parliament we might want to consider the shape of sanctions for corporate indifference to data breaches and whether shaming is an effective mechanism for encouraging best practice.

Regrettably also there's been no word from the Australian Prudential Regulatory Authority regarding application - or otherwise - of its 2010 Prudential Practice Guide 234 – Management of security risk in information and information technology [PDF].