Information Commissioner opens investigation into HWL Ebsworth data breach
February 22, 2024 |
The Information Commissioner has opened an Commissioner initiated investigation into the data breach of the HWL Ebsworth site which involved the loss of 1.1 terabytes of data. It has been some time in coming. HWL Ebsworth notified the Commissioner on 8 May 2023 and the Commissioner opened up a preliminary enquiry in June 2023. A flaw in the legislation and the Commissioner’s approach to its regulation is the lengthy and drawn out processes. It has been 8 months, or thereabouts, from the date the preliminary investigation opened and the date this investigation opens. It will be months, probably many, before the Commissioner completes this investigation. If civil proceedings are commenced that won’t happen for months. And then a couple of years in the Federal Court. The Commissioner’s regulatory action policy needs a significant overhaul.
The other problem with the Commissioner’s approach to regulation is that typically results of those investigations do not see the light of day. Or the results are quietly announced with little coverage in the media. This is significantly different to the regulators more expansive approach in the United States, the United Kingdom and the European Union.
HWL Ebsworth adopted a “batten down the hatches” approach to the data breach. After an initial anodyne statement it kept its counsel. It applied for and obtained an injunction against those using information leaked onto the dark web. The utility of that application is problematical but it does restrain those who are not criminals who may be tempted to access or otherwise view that material. Notwithstanding sporadic stories of which of HWL Ebsworth’s clients were affected the strategy seemed to overall effective. HWL Ebsworth avoided the intense media scrutiny and censure that Medibank and Optus experienced even if the data stolen was at least as sensitive and sometimes even more sensitive than each of those other organisations.
Given the large volume of data stolen, accross the breadth of the firm’s operations there will be serious questions as to the data storage policies, training, data handling processes, why so much data was retained for so long and how the hackers were able to range so widely across practice areas.
The Commissioner’s Statement provides:
The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.
The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.
The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.
This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.
In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.
About Commissioner-initiated investigations
The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.
Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.
The story has been covered by itnews with Privacy watchdog to investigate HWL Ebsworth over security and notifications.
The Itnews article provides:
The investigation will cover whether the law firm violated the Privacy Act by failing to protect sensitive data or properly notifying individuals affected by the breach.
The breach saw 1.1TB of data lost to hackers and impacted 65 government agency clients’ data as well as data belonging to private firms as well.
The Office of the Australian Information Commissioner (OAIC) made “preliminary inquiries” at the time of the breach last year, but said there was now a need to open a formal investigation into the law firm’s “personal information handling practices”.
Depending on the outcome of the investigation, the law firm could face civil penalties or orders to compensate individuals affected by the hack, such as National Disability Insurance Scheme (NDIS) participants whose sensitive medical records were leaked.
If OAIC “is satisfied that an interference with the privacy of one or more individuals has occurred,” HWL Ebsworth could be ordered “to take specified steps to ensure that the relevant act or practice is not repeated or continued and to redress any loss or damage suffered by reason of the act or practice,” a statement read.
OAIC said that its investigation will cover both the protections HWL Ebsworth had in place before the breach and the actions it took to mitigate the damage to individuals affected by it.
“The OAIC’s investigation is into HWL Ebsworth’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals,” it said.
NDIS participants and prospective participants have accused HWL Ebsworth of running “fishing expeditions” in cases they were involved in, putting the firm in receipt of a large amount of personal and sensitive data.
The firm declined to answer iTnews’ questions about why it collected so much information or if it had a data retention policy that would delete sensitive information once the alleged requirement for it had elapsed.
Some 644 appellants in cases involving the NDIA were caught up in the HWL Ebsworth breach. They still have not been told which of their specific health records were exposed.
Others complained that they could not try to check which of their records had leaked because a Supreme Court injunction prevented them from accessing the stolen data set to check.