03 June 2015

Catch of the day jellyfish

What happens when you are a retailer, a data breach involves release of addresses and other personal information, you don't reveal the breach until three years later and the national privacy agency then takes a year to investigate?

In a word, not much!

The Office of the Australian Information Commissioner - recently praising its own diligence and effectiveness (presumably on the basis that if other people won't commend you it's necessary to resort to loud self-congratulation) - has announced that it
has finalised enquiries into Australian retail company Catchoftheday.com.au Pty Ltd (COTD), following a data breach notification received in June 2014. 
The breach featured a range of personal information.

The OAIC states that
COTD informed the Australian Privacy Commissioner of a data breach it experienced in 2011, which resulted in the compromise of personal information of COTD’s Australian customer base.
As a result, the OAIC "conducted enquiries in relation to this incident". Those enquiries took a year and of course the Commissioner has not released details.

The statement regarding finalisation - buried in the OAIC site, not as a media release or on the homepage - indicates that
the Commissioner expressed concern about the size of the breach, the possible compromise of financial information, and the significant delay between COTD becoming aware of the incident and notifying affected individuals.
Presumably COTD quivered when belatedly questioned amid the media furore that included the explanation
We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards.
Quite so.

The OAIC states that
COTD has taken a range of steps in response to the incident including notifying banks, credit card companies, and the police; commissioning a third party expert to investigate the issue; rebuilding the e-commerce platform that was the subject of the attack; and upgrading its infrastructure to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS). COTD completed an internal Privacy Compliance Assessment, resulting in 20 recommendations that go to improving COTD’s privacy governance arrangements and related matters.
We can sleep soundly, knowing that the tireless bureaucrats have
recommended that COTD improve its processes for notifying customers of data breach incidents in future.
In light of the steps COTD has taken to prevent a similar incident from recurring, the OAIC does not intend to take any further action in relation to the incident at this time. However, COTD has been asked to provide a report about the implementation of the above recommendations within three months.
A sceptic might conclude that it's quite ok for an organisation to experience a major breach ... several years later the OAIC will take twelve months to conduct an investigation that culminates in being savagely flailed with a limp lettuce leaf.

The OAIC states that it
may conduct further enquiries if complaints are received from people who have been adversely affected by this incident.
Given the very substantial delays experienced by individuals who do complain to the OAIC it would be unsurprising if people don't bother making those complaints.

The OAIC response - slow-moving, insubstantial, easily-missed - resembles a jellyfish. We might reasonably look for more spine, more energy, more substance.

What are the "industry standards"? Are they adequate? Are they a matter of lowest common practice?

Should we expect more than a recommendation that COTD - and by extension its peers - "improve its processes for notifying customers of data breach incidents in future"?

Just as saliently, the response is a reminder of the need for timely, clear and comprehensive reporting by public and private sector entities that experience a data breach. We shouldn't have to wait several years. We will presumably continue to wait until there is mandatory data breach reporting, with reporting to data subjects rather than merely to a regulator that is either unwilling or incapable of using its soft power to encourage best practice on the part of database operators. Overseas jurisdictions offer proof that such mandatory reporting is feasible.

Failure on the part of the OAIC is deeply regrettable but, alas, unsurprising, given the agency's history of underperformance and resistance to external scrutiny. It fosters perceptions of regulatory incapacity (potentially regulatory capture) that encourage ongoing financial stringencies on the part of the Government. It also fosters questions about the need to establish a more vigorous, independent and properly resourced agency … particularly an agency that actively engages with civil society rather than on private consultations with unidentified entities that are not necessarily representative of business or consumers.

In the era of big data - and potential big data breaches - we need a watchdog, not an indolent bureaucratic jellyfish.