Home | Databases | WorldLII | Search | Feedback Precedent (Australian Lawyers Alliance)

Jackson, Margaret --- "Data breaches" [2016] PrecedentAULA 4; (2016) 132 Precedent 10

Two data breaches in October 2015 that did result from deliberate hacking affected both David Jones and Kmart. Within two days of each other, both companies announced that their websites had been hacked and personal data that included customers’ names, email addresses, delivery and billing addresses, phone numbers and purchase details had been stolen.[10]

By far the most media coverage in 2015 was given to the unauthorised publication of personal information from a dating website. In July 2015, the operators of the Ashley Madison website, a site devoted to arranging extra-marital affairs, announced that hackers had accessed the personal files of 39 million members. The site had 250,000 Australian users. The reason for the hack, according to the hackers, was because they considered that the site had lied to members about deleting their personal profile once a member left the site. Members in fact had to pay an additional fee to have their details removed, and even then, the data was still not fully deleted.^[11]

There was a worldwide outcry condemning users of the website, but less outrage about the data breach itself. The names and email addresses of members made public were sorted through by journalists and ordinary people to see which members could be named and shamed. In some cases, extortion attempts were made. There have also been media reports of suicides linked to the breach.^[12]

Whatever we think about the objectives of the Ashley Madison site, it should be pointed out that it is not a crime to join such a dating site or to have an affair; it is not a crime to set up a site to encourage affairs; and only in some circumstances is it a crime to hack a site and steal or disclose personal data.

LEGAL OBLIGATION TO KEEP PERSONAL INFORMATION SECURE

There are three ways in which an obligation to keep personal information secure is imposed on data collectors – through data protection legislation and guidelines; through industry standards; and through consumer or trade practices legislation.

1. Data protection legislation and guidelines

In Australia, the Privacy Act 1988 (Cth) requires those entities it covers to take reasonable steps to protect individuals’ information from misuse, interference and loss, and from unauthorised access, modification or disclosure.^[13] Small businesses (with a few exceptions) are exempted from the operation of the Act, resulting in only about 6 per cent of Australian businesses being covered.

In the event of a failure to comply with the Australian Privacy Principles (APPs) – for example, failing to secure personal information appropriately – the Privacy Commissioner has the power, since March 2014, to investigate a privacy breach reported to him, to initiate an investigation into an alleged breach and, under s33 of the Act, to issue an enforceable determination. Civil penalties can also be sought in respect of serious or repeated interferences with the privacy of an individual, including breaches of the APPs. The Commissioner has issued two enforceable undertakings since March 2014; one in respect of Optus, and the other in respect of Business Service Brokers Pty Ltd (trading as TeleChoice).^[14]

To assist organisations, the Privacy Commissioner has released a Guide to Securing Personal Information. ^[15] The guide discusses what personal information security involves, why it is necessary, and how personal information should be protected. It then examines what steps an entity in question might have taken to protect the information and whether those steps were reasonable in the circumstances.^[16] It recommends that the entity should adopt a privacy-by-design approach when it is developing new processes to collect personal information, preferably through a privacy impact assessment.^[17]

The Privacy Commissioner has also introduced a Privacy Management Framework to assist businesses.^[18]

2. Industry standards

The PCI Security Standards Council (PCI) has issued security standards for financial institutions. The PCI comprises credit card organisations – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc-International.^[19] The PCI Data Security Standards (PCI DSS) were first developed in 2006 and were most recently revised in April 2015.^[20] The PCI DSS mandate 12 security controls to be implemented by all businesses that accept credit and debit card payments.

Some Privacy Commissioners, including the Australian Privacy Commissioner, will advise organisations to adopt accepted information security standards, such as the ISO/IEC 27000 series on Information Security Management and the ISO/IEC 31000 of risk management standards to ensure that data-handling practices are appropriate.^[21]

Adherence to an approved standard can be used as a defence against claims of negligence.^[22] Failure to comply, on the other hand, has resulted in findings that an organisation failed to take sufficient steps to protect the security of personal information.^[23]

3. Consumer protection or trade practices regulation

In some jurisdictions, the government corporate watchdog uses either consumer protection or unfair competition legislation to make companies responsible for information security. In the United States (US), the Federal Trade Commission (FTC) considers that a company’s failure to adhere to its own stated policies is a deceptive act or practice, and the majority of its data breach and security cases against businesses have argued this.^[24]

By way of penalties, the FTC generally requires organisations to undergo biannual third-party audits over a 20-year period of their policies and security program^[25] and, if warranted, will apply significant civil penalties.^[26]

In the United Kingdom (UK), both the financial regulator and the Information Commissioner have issued substantial fines to organisations on the grounds that they had failed to comply with their privacy policies.^[27]

Neither the ACCC nor the Australian Securities and Investment Commission (ASIC) have acted in this way to date but, in June 2014, the Australian Electrical Regulator (AER) issued an infringement penalty against Lumo Energy for breaches of the National Electricity Rules. The fine of $20,000 was levied because the company had failed to meet information security standards with which it is obliged to comply as part of the Australian online wholesale trading system.^[28]

Remedies for individuals in the event of a data breach

The remedies available to an Australian individual whose personal information has been disclosed without authorisation as a result of a data breach, such as one of the 250,000 Australian members on the Ashley Madison website, are fairly limited. It is difficult to locate the hackers in such cases, although many countries including Australia have introduced some form of cybercrime offence relating to unauthorised access to data information. There have been only a few reported criminal cases associated with data breach incidents,^[29] and most of the charges concerned fraud and fraudulent activities related to credit cards, and identity theft.^[30] There have been no cases reported in Australia.

Most affected individuals will look for remedies with the organisation that had collected and stored their personal data. Legal action against Avid Life Media, the parent company of Ashley Madison, has commenced in Canada and the US, relying mainly on negligence and breach of contract; violations of the Stored Communications Act, 18 USC § 2702, or similar Acts; identity theft; consumer protection legislation and the tort of invasion of privacy. The lawsuits in both countries are seeking class action status. In the US, the plaintiffs are arguing that they suffered injury through embarrassing information being leaked to the public and some monetary losses. There have only been a few cases in the US in which an individual has succeeded with similar actions involving a data breach, and the plaintiffs had to demonstrate that they had suffered a loss of money or property, actual damages or a substantial injury.^[31]

Australia does not have a tort of invasion of privacy nor laws relating to serious data breaches, leaving victims of data breaches with only limited options. They can lodge a complaint with the Privacy Commissioner alleging that the website was in breach of the APPs and failed to keep information it collects secure. Such action is most likely to lead to the company having to agree to improve its security. Victims who can prove that they have suffered financially due to the breach could sue the organisation for breach of contract seeking damages on the basis that it failed to keep their personal information secure. There are a few other actions, such as misrepresentation, that could be taken, but all would be difficult.^[32]

The difficulty increases if the company is in another jurisdiction. In the Ashley Madison case, its head office is in Canada, which is the jurisdiction governing its contracts with members.

MANDATORY NOTIFICATION OF DATA BREACHES

It has only been in the last decade that some jurisdictions have imposed an obligation on a data collector to report data breaches to a nominated authority, to the individual or to both, particularly breaches that have the potential to lead to loss or injury to the affected individuals. The purpose of these laws is to make organisations more aware of their responsibilities to secure personal data. The first and most well-known data breach notification law is the California Security Breach Information Act (SB-1386) introduced in 2003.

Forty-seven US states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.^[33] While there are differences, most statutes state that breaches of encrypted data need not be reported.

In the European Union (EU), only data breaches suffered by telecommunication companies are required to be reported. The EU is proposing to introduce a mandatory data breach notification scheme as part of its new General Data Protection Regulation, but this requirement may not be implemented for a few years yet.^[34]

In Australia, the Privacy Commissioner has released voluntary data breach notification guidelines.^[35] The focus of the guidelines is on ensuring that the system defect which allowed the unauthorised access is corrected, assessing the extent of the risk to both the data subject and the organisation, and prevention of future breaches. Public notification is not a requirement and is presented as an action that can be taken to mitigate potential loss, rather than as a duty to inform data subjects what has happened.

In 2012, the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR) was passed. Section 75(1) of the PCEHR Act requires participants covered by the Act to report data breaches. A notifiable data breach may be intentional or accidental and must be reported to the Privacy Commissioner and the Systems Operator (the Department of Health). The Systems Operator must notify consumers.

Notifications to the Privacy Commissioner cover the what, who, how of the breach and the remedial steps taken to date. The notification should be ‘as soon as possible’. If the breach is not notified, there is the possibility of civil penalties, up to $90,000 for a body corporate.

In 2008, the Australian Law Reform Commission (ALRC) recommended in its report, For Your Information: Australian Privacy Law and Practice, that a data breach notification obligation be included in the Privacy Act.^[36] This obligation would arise if the entity or the Privacy Commissioner considered that a data breach might give rise to a real risk of serious harm to any affected individuals. This recommendation was not adopted by the then government.

In October 2012, the then Attorney-General released a discussion paper, entitled Australian Privacy Breach Notification, seeking submissions on whether Australia should introduce a mandatory data breach notification law and, if so, how it should operate. As a result of submissions received, in May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 was introduced. Its purpose was to introduce a mandatory requirement for an entity covered by the Privacy Act to report a serious data breach to the Australian Information Commissioner and, in most cases, to the individuals concerned. The Bill was not passed before the federal election held on 7 September 2013.The Privacy Amendment (Privacy Alerts) Bill 2014 (Cth) was re-introduced by the Opposition Party on 20 March 2014. The Bill was similar to the 2013 Bill, but did not progress through Parliament.

In April 2015, due to the scrutiny and debate around the passing of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth), the federal government announced that it will introduce a mandatory data breach notification law by the end of the 2015. This did not occur but, on 3 December 2015, the federal Attorney-General released a draft mandatory data breach notification Bill together with a Discussion Paper, Mandatory data breach notification, an Explanatory Memorandum and a document titled Regulation Impact Statement on the Privacy Amendment (Notification of Serious Data Breaches) Bill 2014.^[37]

The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is to be inserted into the Privacy Act and will apply only to those organisations covered by the Act; that is, federal government agencies and private sector organisations earning over $3 million revenue per annum, plus telecommunications service providers covered by the Data Retention Act 2015. An organisation that experiences a data breach first decides if it is a serious breach or not. Then, if it considers it to be a serious breach, it notifies the Privacy Commissioner and affected individuals ‘as soon as practicable’ after the breach occurs, or at least within 30 days.^[38] A serious data breach is defined as one in which there is a ‘real risk of serious harm to an individual as a result of unauthorised access or disclosure of information’ or if ‘information is lost in circumstances where unauthorised access or disclosure is likely to occur’ and if it does, it ‘will result in a real risk of serious harm to any of the individuals to whom the information relates’.^[39] Serious harm is defined by s26WF to include physical, psychological, emotional, economic and financial harm and reputational harm.

An entity will have up to 30 days from the breach occurrence to investigate whether the breach is a serious breach or not. The Privacy Commissioner will have power to direct an entity to complete a notification of a breach if the Commissioner considers that a serious data breach has occurred.

The notification must include the name and contact details of the entity, a description of the serious data breach that the entity believes has happened, the kinds of information concerned and recommendations about the steps that individuals should take in response to the serious data breach that the entity believes has happened.^[40]

The focus of the Bill is on reporting serious data breaches only, which is an attempt to reduce the compliance burden on entities and to avoid possible notification fatigue of individuals. Unlike the ALRC recommendation and much of the legislation in the US states, there is no automatic exemption from notification if the data at risk was encrypted. However, the format of the data, among other matters, can be taken into account by an entity when it is determining if a real risk of serious harm to an individual exists.^[41] The ALRC had recommended that the Privacy Commissioner should be able to exempt an entity from notifying affected individuals where it is in the public interest to do so, and this power has been included in the Bill.^[42] The major flaw with the proposed legislation is the same one levied against the Privacy Act – that is, that it will apply only to approximately 6 per cent of Australian businesses.

CONCLUSION

The importance of data protection and data security can be seen in the wake of data breaches of large corporations where the hacking of personal information is not limited to the information of a handful of individuals, but rather to hundreds of thousands (or millions) of people's personal data.

The continuing reporting of incidents of unauthorised access to personal data appears to indicate a lack of care being undertaken by organisations and agencies to protect that data. Much of the personal data being accessed has been revealed to be predominantly unencrypted or only partially so. This is so whether the data is stored on internal servers, is transferred outside the organisation or is stored on mobile devices such as laptops and memory sticks.

Regulators, whether they are empowered by trade practices or data protection legislation, have made it clear, particularly in the US and the UK, that there is a legal obligation to protect personal data through encryption. Both the UK Information Commissioner and the FTC have used the lack of encryption by a data holder as a trigger to impose penalties and sanctions.

Most states in the US have introduced data breach notification laws, and some countries have done or are proposing to do so.

Generally, organisations should be selective about the personal information they collect, and be conscious about the need for its collection and retention. There is a link between agencies and organisations taking responsibility for keeping the personal data they have collected secure and data breach notification legislation. If the data collector and holder take steps, for example, to encrypt personal information, then the data breach notification requirements generally do not apply, as only unencrypted information requires notification. It may be that a data breach notification requirement will provide an incentive for agencies and organisations to keep information secure.

Margaret Jackson is an Emeritus Professor at the College of Business, RMIT University. Her latest book, with Dr Gordon Hughes, is Private Life in a Digital World, 2015, Thomson Reuters.

^[1] Attorney-General, Media Release, ‘Consultation Opens on Serious Data Breach Notification Bill’ (3 December 2015) file://ntapprdfs01n01.rmit.internal/el0/E21430/151203%20-%20Media%20Release%20-%20Consultation%20data%20breach%20notification%20bill.pdf.

^[2] T Hunter, ‘When children are breached – inside the massive VTEch hack’ (28 November 2015), http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html.

^[3] J Finkle, ‘Adobe data breach more extensive than previously disclosed’, Reuters (29 October 2013), http://www.reuters.com/article/2013/10/29/us-adobe-cyberattack-idUSBRE99S1DJ20131029.

^[4] R Westervelt, ‘LivingSocial Data Breach Affects Millions’, CRN News (29 April, 2013), http://www.crn.com/news/security/240153803/livingsocial-data-breach-affects-millions.htm.

^[5] M Clark, ‘Timeline of Target's Data Breach and Aftermath: How Cybertheft Snowballed for the Giant Retailer’, International Business Times (5 May 2014), http://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056.

^[6] CNet, ‘Data breach sees Woolworths gift cards leaked in email blunder’, 1 June 2015, http://www.cnet.com/au/news/data-breach-sees-woolworths-gift-cards-leaked-in-email-bungle/.

^[7] The Guardian, ‘Personal details of world leaders accidentally revealed by G20 organisers’, 30 March 2015, http://www.theguardian.com/world/2015/mar/30/personal-details-of-world-leaders-accidentally-revealed-by-g20-organisers.

^[8] A Coyne & P Cowan, ‘Immigration department confirms asylum seeker data breach’, IT News (19 Feb 2014), http://www.itnews.com.au/News/372741,immigration-dept-admits-asylum-seeker-data-breach.aspx.

^[9] D Pauli, ‘ACCC subscriber email addresses exposed’, IT News (11 April 2014), http://www.itnews.com.au/News/382610,accc-subscriber-email-addresses-exposed.aspx.

[10] Will Ockenden, ‘David Jones computer system hacked and customers' private details stolen’, ABC News, 2 October 2015, http://www.abc.net.au/news/2015-10-02/david-jones-computer-system-hacked-customer-details-stolen/6824170.

^[11] Krebs on Security, ‘Online Cheating Site Ashley Madison Hacked’, 19 July 2015, http://ktebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/.

^[12] See, for example, John Doe vs Avid Life Media Inc, US District Court, No. 15-cv-06405.

^[13] Privacy Act 1988 (Cth), Sch 1, Australian Privacy Principle (APP) 11.1.

^[14] See OAIC press releases, October 2015, https://www.oaic.gov.au/media-and-speeches/media-releases/telechoice-resolution-provides-remedy-to-affected-individuals-and-offers-better-security-for-all-customers, and 27 March 2014, https://www.oaic.gov.au/media-and-speeches/media-releases/australian-privacy-commissioner-accepts-enforceable-undertaking-to-enhance-information-security-at-optus.

^[15] OAIC, Guide to securing personal information: ‘Reasonable Steps’ to protect personal information’ (January 2015), http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-securing-personal-information.

^[16] OAIC (January 2015), pp12-15.

^[17] Ibid, p8.

^[18] OAIC, (August 2015), Privacy Management Framework, https://www.oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework.

^[19] See, https://www.pcisecuritystandards.org/security_standards/index.php.

^[20] See, https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0, (rev’d April 2015.

^[21] OAIC (January 2015), p40.

^[22] Guin v Brazos Higher Education Services Corp, Inc 2006 WL 288483 (D Minn 2006); Forbes v Wells Fargo Bank, NA 420 F Supp 2nd 1018 (D Minn 2006).

^[23] Out-Law.com, ‘Breach of payment card data security standard leads to £175,000 ICO fine for insurer’ (25 February 2015), http://www.out-law.com/en/search-results/?terms=PCI+DSS; Out-Law.com, ‘Fine should prompt businesses to address threat of “SQL injection” attacks, says ICO (7 November 2014), http://www.out-law.com/en/articles/2014/november/fine-should-prompt-businesses-to-address-threat-of-sql-injection-attacks-says-ico/.

^[24] J Woods, ‘Federal Trade Commission’s Privacy and Data Security Enforcement under Section 5’ (no date) http://www.americanbar.org/groups/young_lawyers/publications/the_101_201_practice_series/federal_trade_commissions_privacy.html.

^[25] See FTC, September 2013, https://www.ftc.gov/news-events/press-releases/2013/09/marketer-internet-connected-home-security-video-cameras-settles.

^[26] See, for example, FTC, ‘Google will pay $22.5 million to settle FTC charges it misrepresented privacy assurances to users of Apple’s Safari internet browser (August 9, 2012), http://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented.

^[27] FSA, ‘HSBC firms fined over £3million for information security failings’ (22 July 2009), http://www.fsa.gov.uk/pages/Library/Communication/PR/2009/099.shtml.

^[28] Ashurst Australia, ‘Company fined for not securing information system’, Online TMT News (12 June 2014), www.ashurst.com/doc.aspx?id_Content=10540.

^[29] In re TJX Companies Inc, Assurance (22 June 2009): http://www.mass.gov/Cago/docs/press/2009_06_23_tjx_assurance.pdf.

^[30] CSO, ‘Man Accused in TJX Data Breach Pleads Guilty’ (9 June 2009): http://www.cso.com.au/article/260222/man_accused_tjx_data_breach_pleads_guilty.

^[31] In Re Hannaford Bros Co Customer Data Security Breach Litigation, Decision and Order on Defendant Hannaford Bros Co’s Motion to Dismiss, Case No. 2:08-MD-01954-DBH (US District Court, Maine, 12 May 2009) p30.

^[32] Allens.com, ‘Focus: Ashley Madison – Litigation Risks Exposed’ (15 September 2015), http://www.allens.com.au/pubs/priv/fopriv15sep15.htm.

^[33] NSCL, State Security Breach Notification Laws (22/10/15), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.

^[34] Out-Law, ‘Businesses should not need to publicise personal data breaches id data is encrypted, says EU ministers’, 14 October 2014, http://www.out-law.com/en/articles/2014/october/businesses-should-not-need-to-publicise-personal-data-breaches-if-data-is-encrypted-say-eu-ministers/.

^[35] OAIC, ‘Data breach notification guide: A guide to handling personal information security breaches’ (August 2014), http://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-guides/data-breach-notification-guide-august-2014.pdf.

^[36] ALRC, For Your Information: Australian Privacy Law and Practice, Report 108, Ch 51, Recommendation 51.1, (August 2008), http://www.alrc.gov.au/publications/report-108.

^[37] Attorney-General, Serious data breach notification, https://www.ag.gov.au/Consultations/Pages/serious-data-breach-notification.aspx.

^[38] Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, s26WC.

^[39] Ibid, s26WB(2)(a) and (b).

^[40] Ibid, s26WC(3).

^[41] Ibid.

^[42] Ibid, s26 WC(6-8).