Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

The importance of information security in protecting privacy

Presentation by Privacy Commissioner, Timothy Pilgrim, to the Australian Information Security Association (AISA) conference, Friday 17 October 2014.

Introduction

Good morning and thank you for having me here this afternoon. I note that the conference theme this year is ‘Incident response’ and that seems very appropriate to me, in the current environment — all too regularly we see media headlines about data breaches and customers’ personal information being compromised. Some standouts this year have been Catch of the Day, Department of Immigration and Border Protection, EBay, Target US and even this week a major breach at Kmart US.

Our Office has been kept busy over the last few months working with organisations who have voluntarily reported data breaches, or in investigating incidents that are particularly concerning.

This month is Cyber security month in the United States, and although research has revealed that around 60% of young Americans don’t know what the ‘cybersecurity’ profession actually is, it can’t be denied that the security industry is at the forefront of working with the public and private sectors in developing and protecting information security.

The security industry is also a key player in working with organisations to help them in implementing plans and systems to enable data breach response, so I’m really pleased to be able to talk to you today so I can share what I am seeing as Australia’s Privacy Commissioner.

OAIC abolishment / new office update

I want to start by giving you a quick update on developments in privacy regulation in Australia. You may be aware that in the May budget the Government signalled its intention to abolish the Office of the Australian Information Commissioner. For over four years our office has been working on privacy, freedom of information and information policy. This has provided an opportunity to explore the connections between these areas which we have been able to capitalise on when developing policy and providing advice to business, government and the public.

The Freedom of Information Amendment (New Arrangements) Bill 2014 was introduced to the Australian Parliament on 2 October. The effect of this Bill is that from next year, administration of FOI will be split across a number of agencies.

The position of the Australian Privacy Commissioner, however, remains essentially unchanged. So it will be business as usual for privacy regulation, policy, complaint handling and public education.

This is important as it has only been just over 7 months since the reforms to the Privacy Act came into effect, and it’s important that organisations are able to continue to operate under a familiar system of laws and regulation, overseen by the same regulator. Because the changes to privacy law are still relatively new, I want to share with you what has been happening this year.

What is the community saying about privacy?

But first, what is the community — your organisation’s customers and clients — saying and expecting about privacy.

The way peoples’ personal information is collected, used and monetised is increasingly being put under the spotlight by rapidly changing technologies. And rather than accept a complete loss of privacy as an inevitable part of technology, people are looking for ways to maintain control over their personal information, and to gain the benefits of technology without being forced to give away their privacy. It is also interesting to note that, in the face of an increase in potentially privacy invasive technologies, people are more aware of the value of their personal information.

This time last year we released the results of our Community Attitudes to Privacy survey. The survey results showed a number of areas where people have an increasing level of concern about the handling of their personal information:

  • Australians continue to be concerned about their personal information being sent overseas (90%)
  • Australians are very concerned about information security and data breach notification, with approximately 95% of people saying that they should be informed how their information is handled and protected, and if it is lost
  • 74% of Australians are more concerned about the privacy of their personal information in the online environment than they were 5 years ago
  • Finally, 63% of Australians have chosen to not deal with a public or private sector organisation due to concerns about the way their personal information is used or protected.

This last statistic should be sobering for all organisations — and it gives a great incentive to establish and maintain transparent business practices. Many organisations are responding to this shift in community attitudes and recognising that a reputation as an organisation that is committed to privacy not only builds customer trust, but is a strong market differentiator and contributes to a positive customer experience.

In the last 2013–14 year, we received 4239 privacy complaints, which is a hefty 183% increase on the previous year. Our enquiries line also received 11,737 privacy telephone enquiries and responded to 2455 written enquiries. This is an increase of 30% in written enquiries. Some of this increase, especially in enquiries, is attributable to the changes in privacy law, but a very substantial amount of the increase in complaints is due to two significant data breaches in the last year, which led to a large number of individual complaints being lodged with our office. The majority of enquiries that we receive are from individuals wanting information about their privacy rights and about how to make a complaint.

This quite clearly demonstrates that privacy is an issue the community is concerned about, and that they are willing to take steps to protect themselves and seek recourse.

Data breach notification

In Australia we don’t have a system of mandatory data breach reporting, other than in relation to specific e-health legislation.

I have always been in favour of mandatory data breach notification legislation, as it helps to manage the risk to individuals in the case of a data breach, but it also helps organisations — data breaches are becoming an inevitable part of doing business in the information age, and structured data breach notification laws would help organisations deal with this risk, and respond to a breach.

Nevertheless I am pleased to say that many organisations have data breach notification as part of their data breach response plans, and follow notification procedures as good privacy practice, and as part of taking reasonable security steps — a lot of organisations do follow the notification steps outlined in our data breach notification guide, and that is encouraging. It is not a secret that we don’t see the levels of data breach notification that we would like to see, given how many organisations experience a breach. However, it is still a good sign that we have seen a steady increase in the number of organisations coming to us to report.

In 2013–14, we received 71 voluntary data breach notifications, which is a 16.4% increase on the number we received the previous year. But there have also been a number of high profile data breaches that were not reported to us, and which we found out about through complaints or through the media. In one instance, we found out about a substantial data breach, that had serious repercussions for clients, three years after it occurred — this is simply not acceptable, and while it is clearly not going to be looked upon favourably by our office when it comes to investigating, it is also going to impact significantly on customer trust as we are saw in our survey.

Therefore, reporting a data breach incident to us can help organisations to manage the incident — when we receive a notification we make initial enquiries, primarily focussing on the data security measures that the organisation had in place when the incident occurred and the steps the organisation has taken to improve security practice in future to achieve the best privacy outcome for affected individuals.

What this means in practice will obviously depend on the nature of the breach — a hack, a leak or a physical breach will all have different response plans, but in all circumstances, speaking to our office can help to manage this response.

Following our initial investigation, we may consider that the reporting organisation has taken appropriate steps to the data breach, including mitigating harm to affected individuals, and it may be that we take no further action. In cases where we are not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, or where the nature of the breach warrants further action, a Commissioner initiated investigation, formerly known as an own motion investigation, may be opened.

Something that we look for when an organisation has experienced a data breach is whether they have followed our voluntary data breach notification guide. This guide outlines the steps to take in the case of a breach, which are:

  • contain the breach and do an assessment
  • evaluate the risks
  • take appropriate notification steps
  • implement processes to prevent future breaches.

However, an important step that is covered by this guide takes place before a breach even takes place, and that is — all organisations that handle personal information should have a data breach response plan set up, before there is any need to use it. Our office has one, and you should too — statistics show that organisations with a data breach response plan suffer far less from the effects of data breaches, and are able to respond far faster than those that don’t have one.[1]

The cost of a data breach

Experiencing a data breach can be extremely expensive, and investing in strong information security control is worth the cost. But if you do experience a data breach, studies have shown that organisations that have a data breach response plan, and organisations that employ specialists in the field, such as a Chief Privacy or Chief Information officer, suffer less financially.

You may be interested in some numbers that came out of the December 2013 breach at Target US, which show the true cost of data breach:

  • The number of total records stolen that included the name, address, email address and phone number of Target shoppers: 70 million
  • Drop in profits at Target US in Q4 compared with the year before: 46%
  • Estimated cost to banks for reissuing 21.8 million cards (about half of the total stolen): $200 million
  • Amount Target said it will spend upgrading their payment terminals to support chip and PIN enabled cards: $100 million
  • The estimated income generated from the sale of 2 million stolen cards: $53.7 million
  • The number of people in chief information security officer or chief security officer jobs at Target: 0[2]

Case study: Cupid Media Pty Ltd

With those very large numbers ringing in your ears, I’d like to take the time to look at an example of an Australian data breach that we investigated, and to discuss my findings in this case.

In June this year, I handed down my findings in the case of Cupid Media Pty Ltd. Cupid operates over 35 dating websites targeted at specific audiences, based on personal profile including ethnicity, religion and location. In January 2013, hackers gained unauthorised access to Cupid webservers and stole the personal information of approximately 254,000 Australian Cupid site users. The personal information compromised included full name, date of birth, email addresses and passwords. Our office was made aware of this data breach through media reporting, not through a data breach notification directly from Cupid.

This case highlights the importance of organisations conducting ongoing testing and maintenance of security systems to minimise the risk of a hack succeeding, and to ensure they are able to respond quickly if one occurs — hacks will keep occurring and organisations need to account for that threat when considering their obligation to keep personal information secure. That being said, Cupid’s vulnerability testing processes did allow it to identify the hack and respond quickly.

However, my investigation found that, at the time of the incident, Cupid did not have password encryption processes in place. Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be a failure to take reasonable security steps, as required under the Privacy Act.

Some of the personal information that was compromised was old, which also demonstrates the importance of securely destroying or permanently de-identifying personal information that is no longer required. Holding onto old personal information that is no longer needed needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it.

When I released my findings I was pleased to be able to commend Cupid on their collaborative and cooperative approach in working with us. I also acknowledged the significant remedial steps taken by Cupid in response to the breach. And while this did not affect my finding that they had breached the Privacy Act, it did mean that I was able to assist them to reverse, as far as possible, the damage done by the incident.

Breaches due to inadequate or careless electronic information security are the primary type of data breaches these days. However, hardcopy data breaches remain a contributor in the field as well. You may remember the investigation report into the Pound Road medical centre data breach — I have to say, it was odd to need to say, in 2014, that storing medical records in a garden shed was an insufficient level of data security.

Countering the human element of data breach

Dr Kathleen Callaghan uses a ‘swiss cheese’ model of accident causation to describe the human element of data breaches. According to her theory:

  • Human error is not the cause of a data breach only the catalyst
  • The root cause is a failure in systems design. Human error is a known risk: people make errors. Knowing this, organisations must design systems to mitigate the risk of human error.

The ‘Swiss cheese’ model is an illustration of how organisational failures at a number of levels can combine to create a situation in which human error can trigger a data breach.

According to Callaghan, organisations should aim to switch from the ‘swiss cheese’ model to the ‘cheddar cheese’ model. The ‘cheddar cheese’ model reflects a system; even if there is a failure at one of the levels, the protections inherent in the other levels will prevent the breach from occurring.

We see many data breaches where the human element is a factor in the breach. In most cases, these data breaches could have been prevented by improved staff training in privacy and personal information handling, or by designing systems to decrease the risk in the case of human error.

Two examples of common situations we see include:

The loss of portable devices containing personal information. Laptops, external hard drives of USB sticks are often left in taxis, on trains, or misplaced in the office. This is a known risk, however often these devices are not encrypted or even password protected.

Information that has been insufficiently de-identified being released as data or statistics. This is another known risk, and often occurs due to failures in process, or a lack of staff training.

It is therefore critical that all staff members (including contractors and service providers) understand the importance of good information handling and security practices. Privacy training may alert staff to avoid practices that may result in a data breach, by ensuring that they understand their responsibilities, and are more conscious of the risks.

Our Guide to information security outlines a number of steps and strategies that would be reasonable for organisations to take, and these will help you prevent human error in information security, and help prevent data breaches more generally. These strategies includes steps such as implementing robust governance, ICT security, physical security, staff training, workplace policies on data handling and security and Australian or International standards.

The Guide also strongly recommends that organisations consider the information life cycle — what is needed, when, and how can we manage the risks at all phases of the cycle — and ensure that monitoring and review processes are in place.

Does a hack mean I’m off the Privacy Act hook?

Being hacked is an increasingly common form of data breach, and it’s something all organisations need to protect against. When the new privacy laws came into effect in early March this year there were incorrect media reports suggesting that organisations that experienced a data breach as a result of a cyber-attack or hack were ‘off the hook’ or wouldn’t be held accountable for the exposure of personal information.

I responded to this by releasing a statement saying that this was simply not true. The Australian Privacy Principles are very clear in the expectation that even though an organisation my not be taken to have ‘disclosed’ personal information in this kind of situation, if a third party intentionally exploits the organisation’s security vulnerabilities and gains unauthorised access to personal information, a breach may still be found under APP11.

This is because an organisation is required to take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP 11, and the Cupid data breach that I outlined earlier is a perfect example of this.

Regular review of information security measures is crucial, particularly given how frequently organisations change their processes, information, personnel, applications and infrastructure. This risk is further highlighted by constant shifts technology, as new concepts are developed and, on the other hand, unforeseen problems develop.

The recently exposed Heartbleed and Shellshock bugs sent organisations around the world rushing to update processes in order to comply with this basic principle — technology is an amazing asset to business and government alike, but it also means that we have to be vigilant to the ever changing landscape of potential risks.

It is because of this changing landscape that our office expects organisations not just to assess their processes, but also to regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information.

Privacy by design

Which leads me nicely into the need for privacy by design. Our office recently took part in the Global Privacy Enforcement Network privacy sweep of mobile apps, and we found that 70% of the apps we looked at failed to provide a privacy policy or terms and conditions prior to download.

Given the rising popularity of apps that collect personal information — such as banking, health insurance, and social media apps, to name just a few types — this has the potential to be a serious privacy risk for people around the world. Our office, in conjunction with GPEN, are planning some follow up action later in the year, so stay tuned for that.

Our office has released a range of guidance for organisations to help them build and support privacy throughout their systems. Earlier this year we released a revised privacy impact assessment guide, and a guide to developing a privacy policy, both of which are designed to help organisations build privacy into their processes and their culture. And in the last two months we released a revised Mobile apps developers’ guide and a revised data breach notification guide. These are important guides — the first in helping a rising technology to be privacy conscious from inception, and the second to assist organisations in planning for, and responding to data breaches, whatever the type.

You will all be familiar with the APPs, and particularly APP11, but I just wanted to take this opportunity to remind you that the APP guidelines are a key resource for all organisations — these should be your first port of call when you’re wondering how to interpret the Privacy Act, how to update your processes, or what to do about a privacy concern.

We have also recently completed consultation on a revised version of our Information Security guide, and the updated guide will be available within the next month. This guide has always been an important resource, and in updating it to comply with the new privacy legislation, we also asked stakeholders to comment on areas that could be updated and revised to take into account emerging technologies and changes in processes. Some key submissions we received covered areas such as the management third party providers, taking into account the increasing shift towards the use of cloud service providers in both the private and public sectors, the use of Australian and international standards, including the use of ISO 27,000, and the need to create a culture of personal information security. We are currently revising the guide, taking into account this feedback, and we hope to have it ready for release shortly.

In conclusion I would just like to say something that won’t come as any surprise to this audience: information security should be a bedrock for all organisations — the foundation on which your privacy processes are built. Our office is working hard to ensure that all Australian organisations have the guidance and support they need to build a culture of privacy and information security, and we’re expecting you all to step up to this challenge.

Footnotes

[1] Ponemon 2013 cost of a data breach study: Australia (PDF) <http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-australia-report-2013.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_CostofaDataBreach>.

[2] What a major data breach costs: Target by the numbers <http://www.smh.com.au/it-pro/security-it/what-a-major-data-breach-costs-target-by-the-numbers-20140506-zr5ny.html>