‘The enforceable undertaking provides a positive outcome for people affected by the breach, with TeleChoice agreeing to, amongst other things, reimburse the cost of a 12 month credit monitoring service for affected individuals who are concerned about the possibility of credit fraud,’ said Mr Pilgrim.
The enforceable undertaking finalises an investigation that Mr Pilgrim commenced in May 2015. The Commissioner’s investigation focused on whether TeleChoice took reasonable steps to secure the personal information it held, and to destroy or de-identify personal information that it no longer needed, as required by Australian Privacy Principle (APP) 11.
During the course of the investigation, TeleChoice acknowledged that it had not complied with APP 11, and, as part of the enforceable undertaking, will take specific steps to improve its information security and destruction practices to mitigate the risk of a similar incident occurring in the future.
‘I appreciate TeleChoice’s cooperation with my office during this investigation,’ Mr Pilgrim said. ‘This incident demonstrates the importance of businesses securing the personal information that they hold. Physically locking a container that holds personal information is not sufficient if the container is publically accessible and unmonitored for extended periods.’
‘I would encourage all businesses to review their customer records storage. Australian customers expect that organisations will handle their personal information securely, and are entitled to this under the Privacy Act,’ Mr Pilgrim said.
The OAIC will continue to liaise with TeleChoice to ensure that it meets its obligations in the enforceable undertaking.
Media contact: Ms Sarah Croxall 0407 663 968 email@example.com
The Enforceable undertaking is available on the OAIC’s website: http://www.oaic.gov.au/privacy-law/enforceable-undertakings/telechoice-enforceable-undertaking
Nature of the incident and investigation
OAIC first became aware of the incident when it was reported on Channel 9 on 23 April 2015. Telechoice subsequently provided the OAIC with a voluntary data breach notification about the incident on 24 April 2015.
TeleChoice advised that the customer personal information in the shipping container had been awaiting destruction and that the containers had been situated on private land, locked and checked monthly by a maintenance representative. However, unknown individuals had broken into the containers. When TeleChoice became aware of this, it immediately removed all of the customer personal information and destroyed it, except for a small sample. As a result of this, TeleChoice is unable to determine the identity of the customers affected by this incident.
The Office of the Australian Information Commissioner (OAIC) opened a Commissioner-initiated investigation into the incident on 18 May 2015, due to the seriousness of the breach and questions around whether the security safeguards implemented to protect Telechoice customers’ personal information were reasonable in the circumstances.
The Commissioner initiated investigation focused on whether Telechoice had taken reasonable steps to:
- protect customer personal information from misuse, interference and loss, and unauthorised access, modification or disclosure (APP 11.1)
- destroy or de-identify personal information it no longer needed (APP 11.2).
As part of the enforceable undertaking, TeleChoice has also agreed to
- engage an independent and qualified third party to review its information handling practices and procedures, including its storage of customer personal information
- implement improvements to its information handling practices, such as by establishing written policies and procedures about the storage of customer personal information.
TeleChoice advised that only customer records prior to 31 March 2013 may have been stored in the containers, which means only individuals who were TeleChoice customers prior to this may have been affected by this incident.
Individuals who wish to be reimbursed for the cost of a 12 month credit monitoring service will need to demonstrate to TeleChoice that they were a customer prior to 31 March 2013 by, for example, providing copies of correspondence with TeleChoice, or a statutory declaration.
Individuals who think they may have been affected by this incident can contact TeleChoice at firstname.lastname@example.org.
Individuals can contact the OAIC’s Enquiries Line for further information about the Privacy Act 1988 (Cth) and their privacy rights, on 1300 363 992 or email@example.com.
The Privacy Act and the OAIC
The reforms to the Privacy Act 1988 introduced a new power for the Australian Information Commissioner to accept an enforceable undertaking from an organisation or agency.
An enforceable undertaking is an agreement between the OAIC and an organisation or agency that creates a binding commitment to take steps to ensure privacy compliance. An enforceable undertaking can be enforced by the Commissioner in the Federal Court or Federal Circuit Court.
The OAIC publishes a guide to assist organisations and agencies in planning for and responding to data breach incidents: Data breach notification — A guide to handling personal information security breaches.
The OAIC publishes a guide to assist organisations and agencies in assessing their personal information security requirements under Australian Privacy Principle 11: Guide to securing personal information.