15 August 2015

OAIC Incapacity

'The Privacy Commissioner and Own-Motion Investigations Into Serious Data Breaches: A Case of Going Through The Motion?' [PDF] by Jodie Siganto and Mark Burdon in (2015) 38(3) UNSW Law Journal comments
Data breaches resulting from information security failures continue to be an issue of pressing concern. The Office of the Australian Information Commissioner (‘OAIC’) recognises that data security is a major challenge for organisations. Starting in February 2011, the OAIC commenced a series of ‘high profile’ investigations into alleged data breaches. Each of these investigations was commenced by the Privacy Commissioner (the ‘Commissioner’) with reference to the OAIC’s Own Motion Investigation (‘OMI’) powers.  These powers allow the Commissioner to conduct an investigation without any prior complaint being made. 
The Commissioner heralded the use of OMIs and the subsequent publication of reports as a change in its enforcement approach to ‘particularly serious or high profile privacy incidents’. 
All of these incidents related to data breaches. The new strategy was partially developed to increase the transparency of the OAIC’s investigation process and to help organisations and agencies to better understand their privacy responsibilities. 
Surprisingly, the Commissioner’s change in approach has received little scholarly attention given the heightened concern about data breaches and past criticisms of the Commissioner’s failure to pursue a robust enforcement approach. Previous research has focussed on the way the OAIC has used its investigation powers generally,  with only limited consideration of the use of powers in relation to data breach incidents. 
This article fills a gap in the current literature and examines the actual investigatory and decision-making procedures adopted in six data breach-related OMIs undertaken between February 2011 and July 2012. They involve a range of different respondents, different types of security incidents and different findings regarding breaches of privacy principles, with a particular focus on National Privacy Principle (‘NPP’) 4. NPP 4 required entities covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) to implement reasonable security measures in order to protect personal information. 
We examine how these investigations were conducted and the basis for the decisions made, including the publication of final investigation reports. Our framework for examination includes the OAIC’s own published guidance as to how it should undertake investigations and publish reports, and generally recognised principles for the exercise of regulatory powers. Part II provides background to the Commissioner’s investigations and interest in data breach cases and then outlines the methodology adopted. Part III details the reasoning behind the OAIC’s investigatory processes including the reasons for undertaking the OMIs, the process of evidence collection, the decision-making process adopted, and the reasons for the publication of final results in OMI reports. Our findings indicate that the investigation process followed in these six cases could be described as high-level, and lacking in both balance and vigour. Part IV then puts forward reasons for the standard of these investigations by critically questioning whether the OAIC had sufficient powers and resources to adequately conduct the OMIs. We also consider whether the Commissioner pursued these OMIs as a means to further the OAIC’s policy agenda regarding the development of a mandatory data breach notification scheme. 
We conclude that the OAIC’s decision to conduct these OMIs was to highlight and support its policy interests, without having the requisite resources or powers to conduct the investigations effectively. In other words, in the interests of pursuing a data breach policy agenda, the OAIC seems to have been going through the motions in its data breach investigations.
The authors conclude
In terms of the six OMIs reviewed, the selection of the particular cases to investigate (all involving a data breach), the ongoing media engagement highlighting both the investigations being undertaken and the investigation results once available, and the Commissioner’s personal involvement in the decision to publish reports, all suggest that these OMIs were part of a policy imperative to focus on investigating data breach cases. The Commissioner drew the specific link between these investigations and data breach notification in our interview, saying that ‘we are seeing breaches on a large scale’ and that a mandatory reporting scheme was required ‘to give people the ability to know they need to take steps to protect [their personal] information when something goes wrong’. 
Based on the above, it could be argued that one of the motivations for undertaking these OMIs and publishing investigation reports might have been to provide further support for the introduction of a mandatory data breach notification scheme, or at the very least, to highlight the issue of data breaches in Australia. This would be consistent with the Commissioner’s stated policy position and may explain why the Commissioner has elected to dedicate increasingly scarce resources to the pursuit of these investigations, in preference to other regulatory activity. It may also explain why the investigations themselves lack the rigour that might otherwise be expected. It is possible that the real purpose for these investigations was to raise the profile of data breaches and to highlight the role of the Commissioner in resolving issues as part of a more general policy imperative. If that is indeed the case, then it is not so important that the investigations themselves be conducted in line with the OAIC’s own guidance or in accordance with general principles for the use of regulatory powers, including the principles of transparency, balance and vigour. ... 
Our investigation of the six OMIs suggests that the OAIC’s decisions to commence the investigations were in response to media and were perhaps motivated by an interest in raising the profile of data breaches in Australia to support the introduction of a mandatory notification scheme. Whether this is in fact correct or not, there are clearly issues with the process followed in each investigation. In all of the OMIs, an ‘on the papers’ approach was used, based on written responses to largely generic requests for information. There was virtually no second-round questioning, independent evidence gathering or confirmation of the facts as asserted by the respondents, whether directly or via third-party investigation reports commissioned by the respondents. The decision-making process used is also not clear. The change in the outcome of the Medvet investigation, after the initial outcome was communicated to the respondent, in particular raises issues as to the basis for the OAIC’s decision-making in these cases. 
We assert that these issues arise, in part, as a consequence of the limited powers, skills and resources available to the OAIC at the time. Given the OAIC’s new powers and increased accountability, these issues may be addressed in future Commissioner-initiated investigations. However, without the allocation of significant additional resources, it seems unlikely that there would be any significant change in process. Reliance on third-party investigation reports commissioned by the respondent in a future investigation may not be an appropriate resolution. 
The OAIC is right to emphasise that the problem of data breaches is likely to remain. However, the examination of the six OMIs reveals that the investigatory approach adopted can lead to the situation where the OAIC investigators are simply going through the motions. On that note, given the issues we highlight in this article, the OAIC’s data breach investigations as a body of work are unlikely to be of assistance in regulatory efforts to prevent data breaches, unless significant changes are undertaken. Such changes would herald a major policy shift regarding the role of the OAIC, characterised by the need for a supported, adequately resourced and thus proactive Australian privacy regulator. In that regard, our examination of six relatively recent OMIs sounds a warning not just as to what has happened, but also for the future

11 August 2015


'Of Property and Information' by Abraham Bell and Gideon Parchomovsky in (2015) Columbia Law Review (Forthcoming) comments
The property-information interface is perhaps the most crucial and under-theorized dimension of property law. Information about property can make or break property rights. Information about assets and property rights can dramatically enhance the value of ownership. Conversely, dearth of information can significantly reduce the benefit associated with ownership. It is surprising, therefore, that contemporary property theorists do not engage in sustained analysis of the property-information interface and in particular of registries — the repositories of information about property.
Once, things were different. In the past, discussions of registries used to be a core topic in property classes and a focal point for property scholarship. In recent decades, registries have lost their luster for scholars, and their discussion has been relegated to the innermost pages of property textbooks. The reason for this is that registries are widely considered the domain of legal practitioners, not of theorists.
We argue that nothing could be further from the truth. Registries and the information they contain are, in fact, the formative forces that shape the world of property and no theoretical account of the institution of property can be complete without them. In this Essay, we offer the first in-depth legal-theoretical analysis of the intricate relationship among title information, rights and assets in the domain of property, as mediated by registries.
Our analysis gives rise to several new insights. First, we highlight the triple role that registries perform for property owners. They simultaneously perform a facilitative role by streamlining transactions between willing sellers and buyers, an obstructive rule by hindering non-consensual encroachments and takings of assets, and an enabling role by allowing owners to locate and use their own lost assets. Second, going against the accepted lore, we posit that perfect registries, even if they were possible, are socially undesirable on account on what we call “the information/asset paradox.” Perfect information about assets and legal rights may result in the destruction, dismembering and mutilation of the asset by non-consensual takers in an attempt to make the asset unrecognizable, as exemplified by millions of stolen cars and jewelry, or, conversely, to attempts to engage in “identity theft” in order to give thieves the benefit of the registered rights. Third, we argue that the registries are socially desirable when it is impossible or difficult to alter the defining characteristic of the underlying asset. This insight explains why there are registries for non-transformable assets, such as land and unique artworks, but not for transformable assets that include mass production goods and many natural resources. Finally, we address the question of which rights should be covered by registries and how much legal deference should be given to them. The framework we provide is significant not only for theoretical reasons, but also for practical ones. For example, it can inform policymakers in deciding whether to establish new registries for smart-phones and personal computers in order to combat theft of such devices. Similarly, our analysis sounds a cautionary note about the ability of registries of copyrighted works to curb unlawful appropriation and distribution. Per our analysis, such assets are infinitely malleable and, worse yet, information concerning ownership in such works can be easily effaced or altered in the digital age. We also discuss how considerations of costs and privacy affect the comprehensiveness and integrity of registries. At the end of the day, our analysis exposes the promise and the limitations of registries, as well as the ways in which they can be improved by the state.