Telecommunications company Optus has entered into an enforceable undertaking with the Australian Privacy Commissioner after it was found to have breached tough new privacy principles which came into effect last year.
An enforceable undertaking means a written undertaking under the Privacy Act, 1988 given by an entity that they will:-
- take specified action in order to comply with the Privacy Act;
- refrain from taking specified action in order to comply with the Privacy Act; or
- take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.
It is the first time such an undertaking has been made under the new laws and highlights the issues that directors need to take into account when assessing their organisations’ capacity to protect personal information.
The enforceable undertaking is the result of an investigation that commenced in July 2014 after Optus notified the privacy regulator that three breaches of privacy had occurred within its organisation. These breaches related to three separate incidents:-
Between February 2013 and April 2014 the names, addresses and mobile phone numbers of approximately 122,000 Optus customers were listed in the White Pages online directory without the consent of those customers. The information of the majority of those customers was also published in various print editions of the White Pages.
Optus issued 197,000 Netgear modems and 111,000 Cisco modems to its customers with factory default settings, including default user names and passwords in place. Optus did not conduct connectivity testing in respect of those modems. These two issues in combination meant that Optus customers using the equipment who did not change the default user names and passwords were left vulnerable, potentially allowing a person to make and charge calls as though they were the Optus customer.
Between September 2013 and 13 May 2014, a flaw in Optus’s security processes led to certain customers not being prompted for their password when attempting to retrieve voicemail information from outside the Optus network. Optus did not identify this issue during testing. Consequently, where customer voicemail accounts were not password protected, some Optus customers were vulnerable to ‘spoofing’ attacks, where an unauthorised party could potentially access and use customer voicemail account messages, including being able to listen to recorded messages and change settings and preferences.
In each case, there was a failure by Optus to detect the incidents; the incidents were brought to Optus’ attention by third parties. This resulted in Optus experiencing substantial delays in taking action to contain each incident, which also prolonged the duration of the risk to affected individuals. However, Optus has now taken steps to contain the incidents and co-operated with the regulator’s investigation.
The Australian Privacy Commissioner commenced the investigation following concerns that Optus may not have taken reasonable steps to secure the personal information it held, as required by so-called Privacy Principle 11 (which relates to the security of personal information).
The Australian Privacy Principles came into force on 12 March, 2014 and significantly raised the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information. The privacy regulator is able to levy penalties of up to $1.7 million or impose undertakings on organisations that breach the principles.
The undertaking provided by Optus requires Optus to complete certain reviews and certifications, and to implement any recommendations from these activities. It must also provide a report by an independent third party to the regulator certifying that the specified actions have been completed.
If you would like information on how your organisation can better manage its obligations under the privacy principles or on any other issue, contact Brazel Moore Lawyers on (02) 4324 7699 to speak to an experienced Lawyer today.