Privacy Commissioner accepts an enforceable undertaking from TeleChoice

October 28, 2015 |

Telechoice has entered into an enforceable undertaking with the Privacy Commissioner arising out of a significant data breach Business Service Brokers Pty Ltd (ACN 069 049 994) (trading as TeleChoice) (“BSB”).

The Undertaking is found here.

FACTS

The Undertaking stated that BSB (trading as TeleChoice):

  1. provides telecommunications services to individuals;
  2. is an organisation within the meaning of s 6C of the Privacy Act;
  3. is an APP entity under the Privacy Act;
  4. is required to comply with the Privacy Act and the APPs [2.1 ].

On 23 April 2015 Channel Nine’s A Current Affair showed shipping containers that held documents belonging to BSB, open and apparently accessible to members of the public in Victorian bushland [3.3.1]. The documents contained personal information relating to former BSB customers, including copies of telecommunication services contracts entered into by customers and copies of customer identification documents (such as drivers’ licenses, passports, and other identification material) [3.3.2]. The next day, 24 April 2015,  BSB provided the OAIC with a voluntary data breach notification to advise the OAIC of the privacy incident and the initial steps in response.  On the same day, BSB destroyed the documents held in the containers [3.3.3].

BSB stated that the information had been stored within the shipping containers from approximately June 2013 to 23 April 2015. The  containers were initially stored on a fenced property in Bentleigh East, Victoria, before being moved in January 2015 to private land in location in Hastings which was unfenced and physically accessible to members of the public [3.3.4].

BSB claimed that the containers were locked and checked monthly by a BSB employee to ensure continuing security. That said the containers were broken into by an unknown person at some time after BSB’s latest maintenance visit, which BSB states occurred approximately two weeks before 23 April 2015 [3.3.5]. BSB was unable to determine which individuals had personal information stored in the containers.

The Privacy Commissioner stated that the personal information may have related to any individual who was a BSB customer prior to 31 March 2013 [3.3.6].  On 18 May 2015 the Privacy Commissioner commenced the investigation on 18 May 2015 for the purpose of determining whether BSB had breached APP 11.1 and 11.2 [3.4.2].

DECISION

BSB acknowledged:

  1. that the  incident constituted a breach of APP 11.1 as some of the information held in the shipping containers was personal information. While the shipping containers were locked, checked periodically and located on private land the containers were not adequately secured from physical access. BSB did not take reasonable steps to prevent access to them by unauthorised persons [3.5.1].
  2. that the privacy incident constituted a breach of APP 11.2 in that the personal information stored in the shipping containers could reasonably have been destroyed at some time between when the documents were no longer required, and the date on which they were destroyed, 24 April 2015 [3.5.2].
  3. that it  did not take reasonable steps to destroy or de-identify that personal information once it was no longer required [3.5.2].

BSB offered the enforceable undertaking under s 33E of the Privacy Act [3.5.3]. The Commissioner noted, at [3.6.1], that:

  1. BSB has cooperated with the investigation, including acknowledging that it has breached APP 11.1 and APP 11.2
  2. BSB agreed to take steps to address the breach and prevent further breaches from reoccurring.
  3. BSB offered to take steps to address possible harm to affected individuals

 the acceptance of an enforceable undertaking offered by BSB was the appropriate regulatory outcome of the Commissioner’s investigation.

General undertakings

BSB undertakes, at [3.6.2], to:

  1. offer to reimburse the cost of a 12-month credit monitoring service for any individuals who were BSB customers prior to 31 March 2013, and are concerned about the possibility of credit fraud as a consequence of the incident;
  2. conduct a review of the personal information BSB holds to ensure it is secure;
  3. establish written policies and procedures regarding storage and destruction of customer personal information;
  4. in consultation with the OAIC, engage a qualified third party to review certain aspects of BSB’s handling of customer personal information and implement any subsequent recommendations;
  5. develop and conduct regular privacy training for staff; and
  6. finalise and implement a data breach response plan;
  7. handle customer personal information in accordance with BSB’s obligations under the Privacy Act [4.3.1] .
  8. handle customer personal information in accordance with BSB’s Customer Information Handling Policy and APP privacy policy [4.3.2];

  9. at [4.5.1]:

    1. develop and finalise, within three months of the commencement date, privacy training for BSB staff members about BSB’s obligations under the Privacy Act, including:
      1. training on securing personal information and its destruction
      2. training on how BSB’s privacy obligations apply to staff member’s roles, for example, by including scenario-based training, and
      3. testing of staff members’ understanding at the completion of the training
    2. require all current BSB staff to complete the privacy training of subparagraph 4.5.1(a) within six months of the commencement date
    3. require all new BSB staff to complete privacy training as a part of their induction training when they commence employment
    4. require all BSB staff to complete refresher privacy training at least annually
    5. retain appropriate records of the privacy training all BSB staff have completed or are required to complete.
  10.  within three months of the commencement date, at [4.4.1]:
    1. establish and finalise, written policies and procedures about the storage of customer personal information including the conduct of regular audits of BSB’s records of customer personal information
    2. establish and finalise, written policies and procedures about the destruction of customer personal information, including when and how paper based records are to be destroyed
    3. finalise and implement a new data breach response plan in consultation with the OAIC.

Credit protection undertaking

BSB was unable to identify precisely which individuals had personal information stored in the containers. As such, for the purpose of this undertaking, ‘potentially affected individual’ means any person who was a BSB customer or who signed up to a telecommunications service with the assistance of BSB prior to 31 March 2013 [4.2.1].
BSB also undertook to:
  1. within two weeks of the commencement date provide a contact point for concerned individuals and list the contact point on BSB’s website, together with information informing individuals about how they can take up its offer to provide credit protection services [4.1.1].
  2. reimburse the cost of a 12 month subscription to a credit protection service if any potentially affected individual is concerned about the possibility of credit or identity fraud as a consequence of the incident provided the individual must be able to reasonably demonstrate to BSB that he or she was a customer of BSB prior to 31 March 2013 (for example, by providing copies of correspondence with BSB or other supporting material such as a statutory declaration) [4.2.2] .
BSB undertook to
  1. conduct and complete a review and prepare a report within three months of the commencement date that will identify all records of customer personal information it holds (including hardcopy records) and confirming that the personal information is held in accordance with BSB’s obligations in APP 11 [4.6.1];
  2. engage, in consultation with the OAIC, an appropriately experienced, qualified and independent third party (‘the Reviewer’) to review BSB’s practices and procedures ;
  3.  to, at [4.6.3], engage the Reviewer to:
    1. review BSB’s practices and procedures (including collection, record keeping, security and record destruction practices and procedures) to assess whether BSB is holding customer personal information in accordance with APP 11.1, and to identify possible areas for improvement
    2. review BSB’s record keeping and record destruction practices and procedures to assess whether BSB is holding customer personal information in accordance with APP 11.2, and to identify possible areas for improvement
    3. where areas for improvement are identified:
      1. make recommendations for how BSB could implement those improvements (Recommendations)
      2. make recommendations as to the time it would reasonably take for BSB to implement the recommendations.
    4. finalise a report of the review set out in paragraph 4.6.2 within six months of the commencement date.
  4. at [4.7.2], provide the OAIC with a copy of the Reviewer’s report referred to in sub-paragraph 4.6.3(d), including recommendations, within two weeks of receiving it, and not later than seven months from the commencement date.

  5. at [4.8.1] have regard to the Recommendations the Reviewer makes, referred to in sub-paragraph 4.6.3(c)(i), BSB undertakes to:

    1. provide the OAIC with a project plan to implement the Recommendations in accordance with the time recommendations referred to in sub-paragraph 4.6.3(c)(ii)
    2. implement the project plan to address the Recommendations in accordance with the dates set out in the project plan
    3. provide confirmation to the OAIC that the project plan has been completed.

BSB undertook to provide the OAIC with a copy of the report it prepares within two weeks of its completion, and not later than four months from the commencement date [4.7.1].

BSB will bear the costs of its compliance with this enforceable undertaking [4.9.1] and will not make any statement, orally, in writing, or otherwise, which conveys or implies anything inconsistent with the content of the undertaking [4.9.2] and will provide all documents and information requested by the OAIC from time to time for the purpose of assessing BSB’s compliance with the terms of the undertaking [4.9.3].

BSB acknowledged, at [5.2] that:

  1. the Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate, or pursue other enforcement options available to the Commissioner in relation to any contravention not the subject of the background section of this enforceable undertaking, or arising from future conduct; and
  2. the undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct.

ISSUE

To the extent that action is taken under the undertaking the structure is similar to that adopted by undertakings in the consumer litigation at the Federal and State level. Other than the provision of credit protection service for 12 months, a methodology developed in the United States arising out of data breaches, the balance of the undertakings focus on Telechoice undertaking to comply with its obligations under the Privacy Act.  The appointment of a Reviewer is quite standard practice in the consumer affairs undertakings so that the undertaking party meets the appropriate standard.

BSB should consider itself very fortunate.  In the United Kingdom a similar fact situation would have attracted a very hefty monetary penalty notice.  In the United States BSB would have most likely have had to enter into an undertaking that extended over a prolonged period. In the United States 10 or 20 year periods are not uncommon.  The Privacy Commissioner chose not to commence a civil penalty proceedings which he could have done on the facts as reported.  It is certainly the sort of infraction that would have warranted such action.

The Australian Information Commissioner issued a press release which provides:

The Acting Australian Information Commissioner, Timothy Pilgrim, has accepted an enforceable undertaking from Business Service Brokers Pty Ltd (trading as TeleChoice), following an incident in which the personal information of former TeleChoice customers was found in a shipping container located on publically accessible land. The information included the records of individuals who were TeleChoice customers prior to 31 March 2013.

‘The enforceable undertaking provides a positive outcome for people affected by the breach, with TeleChoice agreeing to, amongst other things, reimburse the cost of a 12 month credit monitoring service for affected individuals who are concerned about the possibility of credit fraud,’ said Mr Pilgrim.

The enforceable undertaking finalises an investigation that Mr Pilgrim commenced in May 2015. The Commissioner’s investigation focused on whether TeleChoice took reasonable steps to secure the personal information it held, and to destroy or de-identify personal information that it no longer needed, as required by Australian Privacy Principle (APP) 11.

During the course of the investigation, TeleChoice acknowledged that it had not complied with APP 11, and, as part of the enforceable undertaking, will take specific steps to improve its information security and destruction practices to mitigate the risk of a similar incident occurring in the future.

‘I appreciate TeleChoice’s cooperation with my office during this investigation,’ Mr Pilgrim said. ‘This incident demonstrates the importance of businesses securing the personal information that they hold. Physically locking a container that holds personal information is not sufficient if the container is publically accessible and unmonitored for extended periods.’

‘I would encourage all businesses to review their customer records storage. Australian customers expect that organisations will handle their personal information securely, and are entitled to this under the Privacy Act,’ Mr Pilgrim said.

The OAIC will continue to liaise with TeleChoice to ensure that it meets its obligations in the enforceable undertaking.

Background information

OAIC first became aware of the incident when it was reported on Channel 9 on 23 April 2015. Telechoice subsequently provided the OAIC with a voluntary data breach notification about the incident on 24 April 2015.TeleChoice advised that the customer personal information in the shipping container had been awaiting destruction and that the containers had been situated on private land, locked and checked monthly by a maintenance representative. However, unknown individuals had broken into the containers. When TeleChoice became aware of this, it immediately removed all of the customer personal information and destroyed it, except for a small sample. As a result of this, TeleChoice is unable to determine the identity of the customers affected by this incident.The Office of the Australian Information Commissioner (OAIC) opened a Commissioner-initiated investigation into the incident on 18 May 2015, due to the seriousness of the breach and questions around whether the security safeguards implemented to protect Telechoice customers’ personal information were reasonable in the circumstances.The Commissioner initiated investigation focused on whether Telechoice had taken reasonable steps to:

  • protect customer personal information from misuse, interference and loss, and unauthorised access, modification or disclosure (APP 11.1)
  • destroy or de-identify personal information it no longer needed (APP 11.2).

As part of the enforceable undertaking, TeleChoice has also agreed to

  • engage an independent and qualified third party to review its information handling practices and procedures, including its storage of customer personal information
  • implement improvements to its information handling practices, such as by establishing written policies and procedures about the storage of customer personal information.

Affected individuals

TeleChoice advised that only customer records prior to 31 March 2013 may have been stored in the containers, which means only individuals who were TeleChoice customers prior to this may have been affected by this incident.

Individuals who wish to be reimbursed for the cost of a 12 month credit monitoring service will need to demonstrate to TeleChoice that they were a customer prior to 31 March 2013 by, for example, providing copies of correspondence with TeleChoice, or a statutory declaration.

Individuals who think they may have been affected by this incident can contact TeleChoice at privacy.officer@telechoice.com.au.

The undertaking has been reported by itnews in TeleChoice owns up to 2014 data breach and by zdnet in OAIC accepts TeleChoice’s response to shipping container data breach.  

For those interested in the A Current Affair Report it is found here.

2 Responses to “Privacy Commissioner accepts an enforceable undertaking from TeleChoice”

  1. Privacy Commissioner accepts an enforceable undertaking from TeleChoice | Australian Law Blogs October 28th, 2015

    […] Privacy Commissioner accepts an enforceable undertaking from TeleChoice […]

  2. me October 28th, 2015

    Peter I like these you tube clips. They add a whole new dimension to the blogs ! Keep up the great work ! Fantastic !

Leave a Reply