28 March 2015

Optus enforceable undertaking

Optus has entered into an enforceable undertaking with the OAIC under s 33E of the Privacy Act 1988 (Cth), acknowledging that it failed to take reasonable steps to secure the private information and personal security of some300,000 customers in three separate incidents last year.

The weakness of the response is a reminder of concerns regarding mandatory retention of metadata, including  the likelihood that retention will result in data breaches and the ineffectiveness of bureaucratic responses to such breaches

In the first incident Optus released the names, addresses and mobile phone numbers of about 122,000 Optus customers in the White Pages online directory without the consent of those customers. Much of that information was also published in print editions of the White Pages. The failure was attributed to a "coding error". The third incident related to Optus "deliberately" leaving the management ports of customer-issued modems open, incorrectly assuming that they were only accessible by Optus staff for network management purposes. Optus additionly issued 197,000 Netgear modems and 111,000 Cisco modems to its customers with factory default settings, including user default names and passwords in place.

A benchmark is provided by ACMA's imposition last year of a $10,200 penalty on Telstra over disclosure of silent numbers, discussed in my 'Paying For Pain? Damages, Determinations and other payments for privacy breaches' in the latest Privacy Law Bulletin. In earlier data breaches the personal information (including names, addresses, usernames and passwords) of approximately 734,000 customers were accessible online in 2011; a mailout of approximately 220,000 letters with incorrect addresses occurred 2010.

ACMA indicated that Telstra contravened the Telecommunications Consumer Protections Code (TCP), which requires connectivity providers have 'robust procedures' to ensure that personal information of customers is protected from unauthorised use or disclosure. Telstra had failed to comply with directions over a previous code breach.

One metric for the formal value of privacy – or for regulatory capacity – is provided by matching the $10,200 maximum penalty to the 15,775 customers whose details were available for 15 months during 2012 and 2013.

The new Optus undertaking states
In each case, there was a failure by Optus to detect the incidents; the incidents were brought to Optus' attention by third parties. This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals
The security measures in place "were not reasonable to protect the personal information that Optus held, particularly in relation to the White Pages incident".

The undertaking requires Optus to:
  • Complete a set of reviews and certification;
  • Provide copies of those reviews and certifications to the OAIC;
  • Implement any recommendations and rectify deficiencies identified in those reviews and certifications; and
  • Provide a report by an independent third party to the OAIC certifying that the specified actions have been completed.
The Optus vice-president of corporate and regulatory affairs offered the standard rhetoric, stating that "Optus takes privacy and security very seriously".