Commonwealth Bank enters into an enforceable undertaking with the Australian Information Commissioner. A weak and ineffective regulatory response to serious data breaches.

July 2, 2019 |

On 27 June the relatively new Information Commissioner signed off on an enforceable undertaking with the Commonwealth Australia Bank arising out of 2 data breaches, the first involving the loss of 2 magnetic data tape containing what the Information Commissioner customer statements relating to 20 million customers in 2016.  The CBA was not able to work out whether the records were destroyed or something else came of them.  The second breach arose in August 2018 with sensitive information being available to those who were not able to access that material. This enforceable undertaking was entered into with the CBA already the subject of a very critical APRA report on the CBA’s risk management and reactive approach to compliance.  The CBA entered into a enforceable undertaking from the CBA in early May 2018.  And yet the CBA was involved in a second data breach 3 months later, in August 2018.  What does that say about CBA’s commitment to risk management?

There is a contrast in styles between the Information Commissioner’s media release and that of the Bank.

The Commissioner’s media release reads as if the enforceable undertaking was a major regulatory success forcing changes and imposing stringent requirements on the CBA.  It provides.

The Commonwealth Bank of Australia (CBA) will be required to substantially improve its privacy practices under a court-enforceable undertaking given to the Australian Information Commissioner and Privacy Commissioner.

The binding commitment follows inquiries by the Office of the Australian Information Commissioner (OAIC) into CBA’s handling of personal information in relation to two data incidents:

      • the loss of magnetic storage tapes containing historical customer statements for up to 20 million bank customers by a third-party provider to CBA in May 2016
      • inadequate internal access controls to customer data reported to the OAIC in August 2018.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the inquiries took into account a report from the Australian Prudential Regulation Authority (APRA) which found CBA was reactive in dealing with risks and compliance matters.

“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Commissioner Falk said.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.

“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”

Commissioner Falk said all organisations regulated under the Privacy Act 1988 should proactively manage their data holdings to protect people’s personal information.

“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” she said.

“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised.

“Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers.”

The enforceable undertaking requires CBA to review its privacy policies, procedures and retention standards, and provide staff training to ensure compliance. CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.

The undertaking will be overseen by an independent external reviewer, who will consult with and report to the OAIC on CBA’s compliance. The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking.

The enforceable undertaking is part of the OAIC’s ongoing work in regulating data handling practices in the financial services sector, including compliance with the Notifiable Data Breaches scheme.

Background

An enforceable undertaking is a legally enforceable agreement between the Commissioner and an organisation or agency that creates a binding commitment to take steps to ensure privacy compliance.

2016 data loss incident

In May 2016, a third-party provider to CBA lost two magnetic storage tapes during their transport for destruction. The tapes primarily contained customer statements for the period from 31 May 2000 to 19 January 2016 belonging to approximately 20 million bank customers.

At the time CBA voluntarily notified the OAIC of the data loss, the OAIC undertook inquiries to ensure that the CBA had in place measures to monitor for any unauthorised access and to prevent reoccurrence. The tapes were unable to be found and an independent report commissioned by CBA concluded that the most likely scenario was that they had been disposed of.

In May 2018, the OAIC made further inquiries with CBA to establish whether it had improved its practices to ensure adequate protection of customers’ personal information. The OAIC took into account the release of a report by the Australian Prudential Regulation Authority which raised concerns with CBA’s management of non-financial risks.

These additional inquiries by the OAIC indicated that CBA was not clearly identifying retention periods for its personal information holdings across CBA banking services, and lacked sufficient systems and procedures to destroy or de-identify personal information once no longer needed and to ensure compliance by its contractors.

2018 data access issue

In August 2018, CBA voluntarily notified the OAIC that, during the course of data segregation activities for the sale of its insurance entity Colonial Mutual Life Assurance Society Ltd (CMLA), it had identified 16 shared applications containing CMLA customer information which may have been accessible to non-CMLA employees of the Bank.

In response to the OAIC’s inquiries, CBA advised the OAIC of remedial action it was taking to segregate the CMLA customer information within the 16 applications and implement appropriate access controls. CBA confirmed it has an ongoing investigation overseen by an independent expert to determine whether any personal information was subject to unauthorised access. To date, no evidence of unauthorised access has been reported.

The OAIC identified concerns that CBA did not have sufficient controls to review, log and monitor access to personal information across all areas of its business.

The CBA’s media release, Enforceable Undertaking accepted by the Australian Information Commissioner, paints a picture of the CBA providing the proposed undertaking and it being accepted by the Commissioner.  An altogether different dynamic.  It provides:

The Australian Information Commissioner (Commissioner) has accepted an Enforceable Undertaking (EU) offered by Commonwealth Bank of Australia (CBA).

The EU underpins execution of further enhancements to the management and retention of customer personal information within CBA and certain of its subsidiaries.

The EU follows CBA’s ongoing work to address two incidents; one relating to the disposal of magnetic data tapes containing historical customer statements; and the other relating to internal user access to certain systems and applications containing customer personal information. CBA reported both incidents to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018 respectively and has since been working to address these incidents.

As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.

CBA’s commitments in the EU announced today include reviewing and implementing further enhancements to:

    • internal privacy policies, procedures and record retention standards;
    • internal user access controls on systems and applications that hold personal information; and
    • the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.

The EU provides CBA with 90 days to develop and submit to the OAIC a work plan, and timetable of work that CBA will complete to meet its obligations under the EU.

Commonwealth Bank Group Chief Risk Officer, Nigel Williams, said: “We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner.

“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”

By any measure it is a good result for the CBA.  It is also a good template to use when negotiating with the Information Commissioner.  It is critical to report quickly to the Commissioner and adopt as much of a public service engagement posture as possible.  Have meetings, talk about what processes will be put in place and set out an involved timetable where aspirational targets and outcomes will be set out.  There are no fines of actions in court, which would be a significant impost on the CBA.

There are two issues in this matter; whether the enforceable undertaking is an appropriate regulatory response to two serious data breaches and whether the terms of the enforceable undertaking are sufficiently stringent. The answer is a fairly clear no to both questions.  The 2016 breach was serious and revealed very poor privacy practices and controls.  And it involved records of 20 million customers.  The 2018 breach compounded the systemic errors.  Yet the Commissioner lauds the “co operation” of the CBA and imposes a light touch and limited program upon the CBA which it should be doing as a matter of course.  There is some embarrassment for the CBA and inconvenience with an external auditor monitoring the work however it is nothing compared with the 10 and 20 year enforceable undertakings imposed by the US Federal Trade Commission together with heavy fines.  There is none of that here.

The Undertaking is quite a bureacratic document and much given over to Work Plans, Confirmation of the Work Plans and Material changes to the Work Plan, Progress reports and Activity Completion Statements with Activity Completion Reports.  It is a morass of public service palaver.  But compared to what the CBA would have expected if the UK Information Commissioner or if the FTC had jurisdiction it is the ultimate get out of jail card.

The Information Commissioner is where APRA and ASIC were 3 years ago with undertakings in the financial industry, keen exponents of enforceable undertakings with organisations who go through the motions and undertake the process without really changing the culture. Enforceable undertakings have been shown to be an ineffective regulatory tool in Australia.  They paper over problems and deal poorly with culture.  That is why ASIC has changed tack and is issuing proceedings.  Unfortunately the Information Commissioner has failed or refuses to learn this lesson.

The undertaking provides:

Commonwealth Bank of Australia: enforceable undertaking

Privacy Act 1988 (Cth) Undertaking to the Australian Information Commissioner

under

section 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth)

This Undertaking is given to the Australian Information Commissioner (Commissioner) by

Commonwealth Bank of Australia ACN 123 123 124 (CBA).

1 Definitions and Interpretation

1.1 Definitions

In addition to terms defined elsewhere in this Undertaking, the following definitions apply:

Activities means each of the obligations imposed on CBA under paragraph 8 of this Undertaking.

Activity Completion Report has the meaning set out in paragraph 16(a)(ii)(A) of this Undertaking.

Agreed Work Plan has the meaning set out in paragraph 12(b)(iii)(A) of this Undertaking.

APPs means the Australian Privacy Principles set out in Schedule 1 to the Privacy Act.

Assurance Plan means, in respect of any financial year, a plan setting out CBA’s scheduled assurance activities for that financial year.

CBA Banking Services means any business conducted by CBA, or by a subsidiary of CBA, that provides banking or financial products and services to consumers in Australia, but excluding:

  1. any financial planning services that are not provided under the ‘Commonwealth Financial Planning’ brand;
  2. any products or services provided by, or operations conducted under, the ‘Bankwest’ brand; and
  3. any products or services provided, or operations conducted, by a CBA Excluded Subsidiary

CBA customer means any customer of CBA Banking Services, or any person who has at any time been a customer of CBA Banking Services or any person who has provided any personal information to CBA or any Related Body Corporate of CBA in connection with a proposal to become a customer of CBA Banking Services, whether or not that person becomes a customer of CBA Banking Services.

CBA Excluded Subsidiary means:

  1. any subsidiary of CBA incorporated in a jurisdiction other than Australia;
  2. any subsidiary of CBA in respect of which CBA does not (directly or indirectly) hold a 100% ownership interest;
  3. Residential Mortgage Group Limited and its subsidiaries;
  4. Australian Investment Exchange Limited; and
  5. AHL Holdings Pty Limited and its subsidiaries.

CBA IT Service means an information technology service, comprising systems, applications and hardware (or any one or more of them), which is used by CBA to support a business process for, or related to, CBA Banking Services (whether or not used by CBA for any other purpose).

CBA Key Applications has the meaning set out in paragraph 8.3 of this Undertaking.

CMLA means The Colonial Mutual Life Assurance Society Ltd, ABN 12 004 021 809.

CMLA Related Remedial Work means each of the obligations imposed on CBA under paragraph 9 of this Undertaking.

Commencement Date means the date on which this Undertaking, executed by CBA, is accepted by the Commissioner.

Contractor means a third party that:

  1. is a party to a contract with CBA for the supply of products or services to CBA Banking Services (CBA Contract); and
  2. accesses or holds personal information of CBA customers, or any sensitive information, for the purpose of performing its obligations under the CBA Contract.

Data Access Logging Mechanisms means the mechanisms implemented by CBA to record access by CBA employees to the CBA Key Applications, the CBA IT Services and any other systems, applications and customer records (or any one or more of them) .

Data Incidents means the 2016 Data Incident and the 2018 Data Access Issue.

Enforceable Undertaking or Undertaking means this written undertaking given to the Commissioner by CBA under section 114 of the Regulatory Powers Act and for the avoidance of doubt includes all schedules.

GDW has the meaning set out in Confidential Schedule 1 to this Undertaking.

Independent Expert has the meaning set out in paragraph 10(a) of this Undertaking.

Material Change means any change to the Agreed Work Plan that:

    1. is, or (in CBA’s opinion) is likely to result in, an extension to a timeframe within which an Activity is to be completed;
  2. would result in any material change to the actions that would be taken by CBA to complete an Activity; or
  3. would result in any Activity being excluded from the Agreed Work Plan, or any modification to the scope or nature of an Activity for the purposes of the Agreed Work Plan.

OAIC means the Office of the Australian Information Commissioner.

Policy means CBA’s internal privacy policy, which sets out high-level principles that govern the decision-making and conduct of CBA and its employees in relation to CBA’s obligations under the Privacy Act.

Privacy Act means the Privacy Act 1988 (Cth).

Privacy Procedures means CBA’s business and support unit privacy procedures, which outline operational steps or processes for complying with the Policy.

Progress Report has the meaning set out in paragraph 14 of this Undertaking.

Proposed Activity Completion Date means:

  1. in respect of the Activities set out at paragraph 8.1 to paragraph 8.5 (inclusive), the date which is 36 months after the Commencement Date; or
  2. in respect of the Activities set out at paragraph 8.6, the date which is 48 months after the Commencement Date.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014 (Cth).

Related Body Corporate has the meaning given to that term in the Corporations Act 2001 (Cth).

Retention Standard means CBA’s record retention standards, which set the standards for the retention and disposal of records (including records, in any format, containing personal information) by CBA.

Revised Work Plan has the meaning set out in paragraph 12(c) of this Undertaking.

Sensitivity and Security Classification Controls means CBA’s controls (both technical and procedural) to assign and record the classification of CBA’s information assets (including personal information).

Term means the period from, and including, the Commencement Date to, and including, the date on which CBA provides the report of the audit under paragraph 17 to the Commissioner.

User Access Controls means the controls (both technical and procedural), by which CBA grants, monitors and restricts access by CBA employees to the CBA Key Applications, the CBA IT Services and any other systems, applications and customer records of CBA (or any one or more of them).

User Access Profiles means the access rights and privileges associated with a particular role of a CBA employee.

Work Plan has the meaning set out in paragraph 11(a) of this Undertaking.

2016 Data Incident means the data incident described in paragraph 3.1 of this Undertaking.

2018 Data Access Issue means the data access issue described in paragraph 3.2 of this Undertaking.

1.2 Interpretation

Unless the contrary intention appears:

    1. terms defined in the Privacy Act have the same meaning in this Enforceable Undertaking as they have in the Privacy Act;
  2. the words includes, including, and similar expressions are not used as, nor intended to be interpreted as, words of limitation;
  3. a reference to time is a reference to Sydney, Australia time;
  4. a reference to a day is a calendar day, and to be interpreted as the period of time commencing at midnight and ending 24 hours later; and
  5. a reference to a month is a calendar month.

2 Background

  1. CBA is a body corporate incorporated in Australia, and an organisation within the meaning of section 6C of the Privacy Act.
  2. CBA engages in the business of providing banking services to customers, including to individuals, in Australia and elsewhere. CBA holds personal information and is required by the Privacy Act to, among other things, take reasonable steps to:
    1. implement practices, procedures and systems relating to CBA’s functions or activities that will ensure CBA complies with the APPs in respect of that information, as required by APP 1.2;
    2. protect personal information CBA holds from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by APP 11.1; and
    3. destroy or de-identify personal information that CBA no longer needs for any purpose, nor is required to retain under an Australian law, or a court/tribunal order, as required by APP 11.2.

3 Data Incidents Background

3.1 2016 Data Incident

  1. On 21 April 2016, a vendor of CBA dispatched two magnetic data tapes containing historical CBA customer statements to its supplier for secure destruction.
  2. Following CBA’s request for destruction certificates, on 9 May 2016, the vendor advised CBA that the data tapes were missing, prompting CBA to mobilise its incident response team and to commence an independent forensic investigation into the loss.
  3. CBA also implemented heightened security monitoring of customer accounts as a precaution against suspicious account activity.
  4. Despite comprehensive enquiries, CBA was unable to confirm the secure destruction of the data tapes. The independent forensic investigation concluded that the most likely scenario was that the package containing the data tapes had been disposed of.
  5. The OAIC considered the information provided by CBA to the OAIC in relation to the 2016 Data Incident in June and October 2016 and determined in October 2016 that it would not take further regulatory action at that time.

3.2 2018 Data Access Issue

  1. In August 2018, CMLA (the life insurance subsidiary of CBA) informed the OAIC that, during the course of the data segregation activities for its sale, it had identified that certain shared applications within the CBA group contained information of a sensitive nature relating to CMLA customers, including sensitive information and government related identifiers. This information was accessible in some form to some CBA group employees who were not employees working within CMLA. CMLA identified 16 shared applications which contained the CMLA customer information described above.
  2. On discovering this issue, CBA and CMLA commenced remedial action in respect of the 16 applications to segregate the information described in subparagraph (a) above and implement appropriate access controls to restrict access to that information by any CBA group employees who were not employees working within CMLA.
  3. CBA is undertaking an investigation, with the assistance of an independent expert, McGrathNicol Advisory, to determine whether the CMLA customer information contained in the 16 applications (and described in subparagraph (a) above) had been subject to unauthorised access by non-CMLA employees. As at the date of this Undertaking, that investigation is ongoing and CBA has not identified any instances of unauthorised access by CBA group employees to this information.

4 The OAIC’s Response to the Data Incidents

  1. The OAIC has undertaken preliminary inquiries under s 42(2) of the Privacy Act in relation to the Data Incidents over the period since May 2018.
  2. The OAIC has notified CBA that, as a result of its preliminary inquiries, it has concerns arising from the Data Incidents, which indicate deficiencies in CBA’s management of personal information, namely:
    1. the 2016 Data Incident raises issues with CBA’s compliance with APP 1.2 and APP 11.2; and
    2. the 2018 Data Access Issue raises issues with CBA’s compliance with APP 1.2 and APP 11.1.

5 Acknowledgment

  1. CBA has cooperated with the OAIC and responded to the OAIC’s preliminary inquiries in relation to the Data Incidents.
  2. CBA has also undertaken, and is undertaking, certain remedial action with the aim of ensuring that incidents similar to the Data Incidents do not recur.
  3. CBA, however, acknowledges the Commissioner’s concerns regarding the Data Incidents. Accordingly, CBA offers this Enforceable Undertaking to the Commissioner under section 114 of the Regulatory Powers Act to address those concerns.

6 Undertaking limited to matters expressly dealt with

The only obligations CBA is required to perform pursuant to this Undertaking are those expressly set out in this Undertaking.

7 Term of Undertaking

  1. This Undertaking continues for the Term.
  2. If at any time CBA, acting reasonably, determines that it is unlikely to complete the:
    1. Activities by the applicable Proposed Activity Completion Date; or
    2. CMLA Related Remedial Work by the date specified in paragraph 9, CBA will notify the Commissioner within 14 days of such determination.
  3. If CBA notifies the Commissioner under paragraph 7(b), the parties will negotiate in good faith to agree any amendments to this Undertaking that are reasonably necessary to ensure that CBA completes the relevant Activities, or the CMLA Related Remedial Work (as applicable), as soon as practicable and, if practicable, prior to the applicable timeframe referred to in subparagraph (b) above. The Commissioner retains full discretion to determine whether or not to agree to any such amendments and may take any action she determines is necessary following a notification to the Commissioner under paragraph 7(b), including applying to the Federal Court of Australia for an order under section 115 of the Regulatory Powers Act.

8 Activities

This Undertaking requires CBA to complete each of the Activities set out in this paragraph 8 by the applicable Proposed Activity Completion Date.

8.1 Policy, Privacy Procedures and Retention Standard

  1. CBA will:
    1. undertake a review of the Policy, and implement any changes to the Policy that are necessary to ensure it sets out the:
      1. requirements under the Privacy Act, as they apply to CBA Banking Services, that must be met by CBA and its employees; and
      2. accountabilities of CBA employees to ensure such compliance; and
    2. prepare a written version of the Privacy Procedures for CBA Banking Services, which specify the operational steps and processes to be implemented by CBA Banking Services and its employees to ensure compliance with the Policy (as amended in accordance with paragraph 8.1(a)(i)).
  2. CBA undertakes to:
    1. engage an appropriately qualified external expert to provide advice on CBA’s obligations to retain personal information that is collected or held for the purposes of CBA Banking Services; and
    2. having regard to the external expert’s advice under paragraph 8.1(b)(i), review the Retention Standard as it applies to CBA Banking Services, and implement any changes to the Retention Standard that are necessary to ensure CBA Banking Services’ practices relating to the retention or disposal of records containing CBA customer personal information comply with the Privacy Act.
  3. CBA will operationalise the Policy, Privacy Procedures and Retention Standard (in each case as amended in accordance with this paragraph 8.1) in CBA Banking Services by:
    1. updating and documenting CBA Banking Services’ controls to meet the control objectives set out in the Privacy Procedures and Retention Standard (which may include manual or automated environments). W here no controls exist as part of CBA Banking Services’ existing controls, CBA Banking Services will follow its existing operational and compliance risk management frameworks to record and remediate any controls gaps to meet the control objectives set out in the Privacy Procedures and Retention Standard taking into account that the level of automated controls will be dependent on (among other things) business processes in CBA Banking Services;
    2. using its best endeavours to increase awareness of, and providing training on, the Policy, Privacy Procedures and Retention Standard to directors of CBA and to all CBA employees working within CBA Banking Services who may have access to CBA customer personal information in the course of performing their duties; and
    3. making the Policy, Privacy Procedures and Retention Standard accessible to all CBA employees working within CBA Banking Services, including on CBA’s internal website and by providing copies of the Policy, Privacy Procedures and Retention Standard, and any amendments to those documents, to its directors.
  4. commencing on and from 1 July 2020, and for the remaining Term of this Undertaking, CBA will include in each of its CBA Banking Services’ Assurance Plans, and implement, an annual review of compliance by CBA Banking Services with the Policy, Privacy Procedures and Retention Standard. CBA will, as soon as is practicable, take action to remedy any non-compliance that is identified as a result of any such annual review.

8.2 Privacy Impact Assessments

CBA will:

  1. undertake a review of its existing privacy impact assessment process having regard to the Privacy Act and the OAIC’s Guide on undertaking privacy impact assessments (dated May 2014), implement any changes to that privacy impact assessment process that will assist CBA’s compliance with the Privacy Act and will specify when a privacy impact assessment is required in the Privacy Procedures;
  2. incorporate the privacy impact assessment process (including any amendments to that process as a result of the review under subparagraph (a) above) into CBA Banking Services’ existing risk and controls management processes; and
  3. use its best endeavours to ensure that CBA employees working within CBA Banking Services undertake privacy impact assessments as required by the Privacy Procedures (as updated in accordance with paragraph 8.1).

8.3 CBA Key Applications

For the applications listed in Confidential Schedule 1 (CBA Key Applications), CBA undertakes to:

  1. review the existing User Access Controls that protect personal information held in CBA Key Applications and implement any changes to those User Access Controls that are necessary to ensure access to such information is limited to those User Access Profiles that are permitted to have such access, having regard to the Privacy Act, including in particular APP 11.1;
  2. implement an annual review of User Access Profiles that apply to each CBA Key Application, including the personal information access privileges assigned to those User Access Profiles;
  3. design and implement a review process to assess each CBA employee’s continued eligibility in respect of User Access Profiles (which authorise access to applications and personal information held in CBA Key Applications). CBA will ensure that this review process will be undertaken each time a change in the position of any CBA employee occurs (at or before the time that change occurs);
  4. based on the findings of each of the reviews under subparagraphs (b) and (c) above, remove any users identified, as at the date the relevant review is completed, as not requiring access to the relevant CBA Key Applications;
  5. review the Sensitivity and Security Classification Controls that apply to the classification of personal information held in CBA Key Applications at the date of review (such controls to be further defined in the Agreed Work Plan) and implement all necessary changes to those Sensitivity and Security Classification Controls which are required to ensure compliance by CBA with APP 11.1;
  6. review CBA’s existing Data Access Logging Mechanisms that log access to CBA customer personal information held in CBA Key Applications (such mechanisms to be further defined in the Agreed Work Plan) (the Access Logs), and implement all necessary changes to:
    1. ensure the Access Logs are subject to specific retention periods;
    2. identify the User Access Profiles that are permitted to access the Access Logs; and
    3. ensure that Access Logs are available to those User Access Profiles identified under subparagraph (f)(ii) above for the purpose of undertaking investigations into suspected incidents of unauthorised access to personal information held in CBA Key Applications and for use in connection with CBA’s internal user behaviour analytics technology; and
  7. apply CBA’s internal user behaviour analytics technology to CBA Key Applications to assist CBA in identifying potentially suspicious application-user behaviour, which may be indicative of inappropriate access to information held in a CBA Key Application.

8.4 Contractors

CBA undertakes to:

  1. review the privacy risk management and monitoring processes that apply to Contractors and implement changes to those processes to ensure that CBA complies with its obligations under the APPs;
  2. implement reasonable monitoring of each Contractor’s compliance with its contractual obligations to CBA governing the handling of personal information (including reasonable monitoring of compliance with any contractual obligation to destroy or de- identify personal information) having regard to the rights of CBA under the relevant contract as to the manner in which it may monitor the Contractor’s compliance with such obligations; and
  3. ensure that each Contractor undertakes to provide, or procure the provision of, privacy training to its employees who may have access to personal information of CBA customers in the course of performing any contract with CBA for the supply of products or services to CBA Banking Services.

8.5 Data Tapes

To address its compliance with APP 11.2, CBA will:

  1. use best endeavours to identify magnetic data tapes within the control or possession of CBA Banking Services which CBA reasonably believes contain unknown or unreadable content, or CBA customer personal information;
  2. if CBA identifies any data tapes under subparagraph (a) above, determine (if appropriate, after obtaining external expert advice) whether any of the identified data tapes must be destroyed, or any customer personal information thereon de-identified or destroyed, having regard to the content of those tapes and APP 11.2 as it applies to CBA Banking Services; and
  3. where an identified data tape should be destroyed, or customer personal information thereon de-identified or destroyed, use its best endeavours to procure the secure destruction of the relevant data tape, or the de-identification or destruction of the customer personal information contained on the relevant data tape.

8.6 CBA Customer Systems and Applications

CBA undertakes to:

  1. identify all CBA IT Services that collect or hold any personal information of CBA customers (CBA Customer Systems and Applications);
  2. appoint the Independent Expert to rank each CBA Customer System and Application in order of risk, having regard to:
    1. the risk of access to the relevant CBA Customer System and Application by CBA employees, for whom access to the CBA Customer System and Application is not reasonably necessary for the performance of their duties; and
    2. the sensitivity and volume of CBA customer personal information collected or held by the relevant CBA Customer System and Application; and
  3. appoint the Independent Expert to prepare a plan that, having regard to the ranking of each CBA Customer System and Application completed by the Independent Expert in accordance with subparagraph (b):
    1. specifies, in respect of each CBA Customer System and Application, any action that CBA should take to ensure compliance by it with APP 11.1 in relation to the personal information that is collected or held in that CBA Customer System and Application (Systems and Applications Process); and
    2. specifies the timeframes for the performance of the Systems and Applications Process; and
  4. complete the Systems and Applications Process, in a staged manner, and in accordance with the plan prepared under subparagraph 8.6(c) above.

9 CMLA Related Remedial Work

CBA undertakes to procure the performance of the user access review set out in Item 1 of Confidential Schedule 2 in respect of the applications set out in Item 2 of Confidential Schedule 2 within 30 days of the completion of the sale of CMLA and provide the findings of the review to the Commissioner within 30 days of the review’s completion.

10 Engagement of Independent Expert

  1. Within 14 days of the Commencement Date, CBA will engage a suitably experienced and qualified independent external person, approved by the Commissioner (the Independent Expert), to undertake the tasks set out in paragraph 10(c) of this Undertaking.
  2. CBA will ensure that the person engaged to be the Independent Expert under paragraph 10(a) is a reputable forensic practice operating in Australia with specialists in audit, information technology, data storage and cyber security, and with sufficient available resources to complete the tasks referred to in paragraph 10(c).
  3. The Independent Expert will be responsible for:
    1. undertaking the tasks allocated to it under paragraph 8.6;
    2. reviewing the Work Plan, and any Revised Work Plan, and confirming the Agreed Work Plan subject to the process set out in paragraph 12;
    3. providing CBA and the Commissioner with six monthly Progress Reports on CBA’s progress against the Agreed Work Plan in accordance with paragraph 14;
    4. providing CBA with Activity Completion Reports, and other reports, in accordance with paragraph 16;
    5. completing the audit described in paragraph 17; and
    6. carrying out any other tasks allocated to it under this Undertaking, or by CBA, for the purposes of this Undertaking.
  4. CBA undertakes to provide to the OAIC, within 21 days of the Commencement Date, a copy of the terms of engagement pursuant to which the Independent Expert is engaged to undertake the tasks set out in this Undertaking.

11 Agreed Work Plan

Within 90 days of the Commencement Date, CBA will:

  1. prepare a work plan, the objective of which must be the completion of all of the Activities, in an appropriately staged manner, by the applicable Proposed Activity Completion Date and, where relevant, within the timeframes set out in paragraph 8 (Work Plan); and
  2. confirm the Work Plan with the Independent Expert in accordance with the process set out in paragraph 12 of this Undertaking.

12 Agreed Work Plan Confirmation Process

  1. CBA will provide the Work Plan to the Independent Expert setting out:
    1. the action CBA will take to ensure completion of the Activities;
    2. timeframes within which each of the Activities will be completed in order to ensure that CBA is able to complete the Activities by the applicable Proposed Activity Completion Date and, where relevant, within the timeframes set out in paragraph 8; and
    3. who will be accountable within CBA for delivering on each action in subparagraph (i) above within the timeframes specified in subparagraph 12(a)(ii).
  2. CBA will require the Independent Expert to, not later than 14 days after receipt of the Work Plan under paragraph 12(a):
    1. consult with the Commissioner regarding the Work Plan;
    2. complete its review of the Work Plan, taking into consideration its consultation with the Commissioner, to assess whether completion of the actions in the Work Plan will result in completion of the Activities by the applicable Proposed Activity Completion Date and, where relevant, within the timeframes set out in paragraph 8; and
    3. either:
      1. provide CBA with written confirmation that completion of the actions in the Work Plan will result in completion of all of the Activities by the applicable Proposed Activity Completion Date and, where relevant, within the timeframes set out in paragraph 8, in which case the Work Plan will become the Agreed Work Plan; or
      2. provide a written report to CBA that identifies any deficiencies in the Work Plan, and provide recommendations to address those deficiencies (Work Plan Report).
  3. Where the Independent Expert has provided a Work Plan Report, CBA undertakes to provide the Independent Expert with a revised Work Plan (Revised Work Plan) within 7 days after the date on which it receives the Work Plan Report, which:
    1. incorporates (in addition to the content set out under paragraph 12(a)) the actions CBA proposes to take to address the deficiencies identified in the Work Plan Report; and
    2. in respect of any recommendations identified in the Work Plan Report which CBA will not implement, provide reasons and, where appropriate, reasonable alternative action that CBA proposes to take to address the relevant deficiencies identified in the Work Plan Report.
  4. Within 5 days of the Independent Expert’s receipt of a Revised Work Plan under paragraph 12(c), the process in paragraphs 12(b), and 12(c) will be repeated in respect of the Revised Work Plan as if it were the Work Plan.
  5. CBA will provide a copy of the Agreed Work Plan to the Commissioner within 7 days of the date it is confirmed by the Independent Expert in accordance with this Undertaking.
  6. CBA will prepare a summary of the Agreed Work Plan (excluding any content that is confidential information), setting out at a high-level the proposed steps CBA will take to complete the Activities and the timetable for completion of the Activities (Summary). CBA will make the Summary publicly available on its website.

13 Material Changes to Agreed Work Plan

  1. If CBA wishes to make a Material Change to the Agreed Work Plan, CBA must submit the proposed Material Change to the Independent Expert and the Commissioner in writing, including reasons for the Material Change and any other information that CBA wishes to include.
  2. The Independent Expert must, within 7 days of receipt of a proposed Material Change under paragraph 13(a), consult with the Commissioner regarding the proposed Material Change, assess the proposed Material Change (taking into consideration its consultation with the Commissioner) and advise CBA (copied to the Commissioner) whether the proposed Material Change is, in the Independent Expert’s view, reasonably necessary for CBA to comply with its obligations under this Undertaking.
  3. Where the Independent Expert provides a written confirmation in respect of a proposed Material Change under paragraph 13(b) confirming that it has determined that the proposed Material Change is reasonably necessary for CBA to comply with its obligations under this Undertaking, the Agreed Work Plan is varied accordingly.
  4. Following a variation to the Agreed Work Plan in accordance with subparagraph (c) above, CBA will promptly update the Summary to the extent necessary to ensure it is accurate, and will make the updated Summary publicly available on its website.
  5. For the avoidance of doubt, nothing in this paragraph 13 limits the operation of paragraph 7 of this Undertaking.

14 Progress Reports

The Independent Expert will provide CBA and the Commissioner with a report on a 6 monthly basis setting out for the preceding 6 month period:

  1. CBA’s progress against the actions in the Agreed Work Plan; and
  2. all changes made by CBA to the Agreed Work Plan (Progress Reports),

with the first Progress Report to be provided on the date which is 6 months after the Commencement Date.

15 Activity Completion Statement

CBA undertakes to provide written confirmation to the Independent Expert and the Commissioner within 14 days of completion of an Activity or, if CBA has grouped two or more Activities into an Activity group (Activity Group), within 14 days of completion of an Activity Group. CBA undertakes to provide written confirmation to the Independent Expert and the Commissioner that CBA has completed the relevant Activity or Activities (Activity Completion Statement).

16 Activity Completion Report

  1. The Independent Expert will, within 14 days after receipt of an Activity Completion Statement under paragraph 15 (or such later date as agreed between the OAIC and CBA and notified to the Independent Expert):
    1. assess whether CBA has completed the relevant Activity or Activities; and
    2. either:
      1. provide CBA and the Commissioner with a written report confirming that CBA has completed the relevant Activity or Activities (Activity Completion Report); or
      2. provide CBA and the Commissioner with a written report if it identifies that the relevant Activity or Activities have not been completed in accordance with the Undertaking and recommend reasonable timeframes for the completion of the Activity or Activities.
  2. Where the Independent Expert has provided a report under paragraph 16(a)(ii)(B), CBA undertakes to complete the relevant Activity or Activities within the timeframes specified in that report, and provide a revised Activity Completion Statement to the Independent Expert and the Commissioner within 7 days of completion of the relevant Activity.
  3. Following receipt of the revised Activity Completion Statement, the Independent Expert will, within 7 days of receipt, repeat the process set out in paragraph 16(a) in respect of the revised Activity Completion Statement as if it were the relevant Activity Completion Statement.

17 Audit of Compliance

  1. Not later than 6 months after the final Activity Completion Report is provided by the Independent Expert to CBA, CBA will procure the Independent Expert to undertake and complete an audit of CBA Banking Services to determine whether the actions taken by CBA in respect of the Activities have been operationalised, which will include an audit of compliance by CBA Banking Services with the Policy, Privacy Procedures and Retention Standard.
  2. Within 14 days of receipt of the report of the audit, CBA will provide the report of the audit to the Commissioner.

18 Provision of Information

  1. CBA will provide relevant documents and information requested by the Commissioner from time to time within 14 days of written request (or such later date as agreed between the OAIC and CBA) by the Commissioner for the purpose of assessing CBA’s progress in complying with this Undertaking.
  2. The Commissioner and OAIC acknowledge that the Independent Expert’s reports or audit findings, information and reports relating to the CMLA Related Remedial Work and the CBA Customer Systems and Applications, the Work Plan, the Agreed Work Plan, Progress Reports, Activity Completion Statements, Activity Completion Reports, Confidential Schedule 1, Confidential Schedule 2, and any other information that is provided by CBA, or the Independent Expert, in accordance with this Undertaking, are likely to contain CBA’s sensitive commercial information and security protocols and which is not publicly available information (such information and protocols being commercial-in- confidence information) which, if publicly disclosed, has the potential to undermine the security of CBA’s information technology systems and of the personal information it holds.
  3. The Commissioner and the OAIC will only:
    1. disclose the commercial-in-confidence information with CBA’s written agreement, unless required in response to a request from a House or Committee of the Commonwealth Parliament or otherwise required by law; and
    2. use the commercial-in-confidence information for the Commissioner’s privacy regulatory activities.

19 Further Acknowledgments

  1. CBA agrees that the Commissioner:
    1. will publish this Undertaking on the Commissioner’s website;
    2. may publicly refer to this Undertaking, including any breach of this Undertaking by CBA;
    3. may issue media releases or social media posts and undertake media interviews (or authorise any other OAIC officer to undertake media interviews) on acceptance of this Undertaking, referring to its terms and the circumstances of its acceptance by the Commissioner; and
    4. may, if she considers that CBA has breached this Undertaking, apply to the Federal Court of Australia for an order under section 115 of the Regulatory Powers Act.
  2. CBA recognises that this Undertaking does not derogate from the rights and remedies available to any individual arising from either of the Data Incidents.

Executed by:

Signature of Authorised Signatory: [Signed]
Name of Authorised Signatory: Nigel Williams
Title of Authorised Signatory: Group Chief Risk Officer
Commonwealth Bank of Australia ACN 123 123 124
Dated: 24 June 2019

Witnessed by:

Signature of Witness: [Signed]
Name of Witness: Greer Harris

Accepted by: [Signed]

Name: Angelene Falk
Australian Information Commissioner pursuant to section 114 of the Regulatory Powers Act

Leave a Reply