Michael Finney, Director, Bennett & Philp Lawyers
Tiffany Pham
Increasing in this digitalised world, where the convenience of online and near instantaneous financial transactions is being demanded by consumers, the trust between consumers and businesses is being tested more than ever before in the protection of personal information in those transactions.
Not surprisingly, the protection of such personal information by businesses comes at a cost – both to the business themselves and ultimately to the consumer. These data protection costs are likely to keep escalating given the number and frequency of sophisticated cyber attacks such as those we have reported previously[1],[2] including the Optus, Medibank and Latitude Financial data and privacy breaches, which have raised concerns and created greater community awareness of cyber-safety.
The question is at what price are consumers willing to pay, and demand of businesses, to ensure a ‘reasonable’ level of protection of personal information.
Available Protections under the Privacy Act
In the case of an ‘eligible’ data breach, for the unauthorised access and disclosure of personal information or loss of personal information that is likely to result in serious harm to individuals, individuals are protected under APP 11.1 and section 26WH (2) of the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).
APP 11.1 declares that any APP entity must take ‘reasonable steps’ to protect personal information from misuse, interference, and loss, as well as from unauthorised access, modification or disclosure. Additionally, section 26WH (2) of the Privacy Act states that an entity must conduct reasonable and efficient assessment of whether there are reasonable grounds to believe the relevant circumstances amount to an eligible data breach. Furthermore, after the entity becomes aware of the potential breach, they must take all reasonable steps to ensure that the assessment of the breach is completed within 30 days.
This leads to the vexed question of what ‘reasonable steps’ might mean in circumstances where the size of the entity, types of information stored, and the technological measures used to protect data, differ across sectors. Given the uncertainty and lack of jurisprudence on how ‘reasonable steps’ should be interpreted, much needed guidance is needed to provide greater assurance to consumers and to assist businesses understand what cyber-security measures are needed to remain compliant with the law. The Medibank data breach is currently before the Federal Court and is expected to provide useful guidance in answering some of these questions, and whether Medibank took reasonable steps to protect their customer’s personal information and if they implemented practices, procedures and systems to ensure compliance with the APP.
The Medibank Data Breach
Under the Federal Court proceedings, the OAIC has alleged that Medibank contravened APP 11.1, as well as section 13G of the Privacy Act. Under s 13G, an entity is liable for a civil penalty if it does an act, or engages in a practice, that is a serious or repeated interference with the privacy of an individual.
The OAIC has just published a redacted version of a Concise Statement in respect to the civil penalty enforcement action in the Federal Court against Medibank at AIC-v-Medibank-Private-Limited-concise-statement.pdf (oaic.gov.au)
What we know so far from the Concise Statement is that in October 2022, an employee of a contractor to Medibank had access to an administrator level account having access to most or all of Medibank’s systems. The credentials to the account were stolen from the contractor’s “personal computer” using malware. Medibank allegedly did not use multi-factor authentication and the “threat actor” was able to log into Medibank’s VPN with the stolen credentials and exfiltrate 520 gigabytes of data, including personal and sensitive information. In 2018 and 2020, Medibank had been made aware of its weaknesses and serious deficiencies in its cybersecurity and information security framework and it is unclear whether this was further reviewed and strengthened.
The Concise Statement suggests what steps the OAIC considers Medibank should have taken and confirms the approach foreshadowed in the Australian Privacy Principles Guidelines (the Guidelines) and the Guide to Securing Personal Information (the Guide) of taking into account the size of the APP entity and the sensitivity of the personal information involved when determining what steps are “reasonable” in the circumstances.
The Concise Statement alleges that Medibank’s size and the sensitivity of the affected personal information (which included health information and information about individuals’ race or ethnicity) are relevant to determination of what “reasonable steps” were required. Those matters were also relied upon by the Commissioner in support of the alleged interferences with privacy being “serious”.
The Commissioner alleges that Medibank should have implemented all or some combination of the following 11 things:
- MFA for access to its Global Protect VPN;
- Additional MFA authentication for sensitive or critical information assets within its network perimeter;
- Proper change management controls;
- Appropriate privilege access management control including “least privileges necessary” and regular review of access, revoking dormant accounts and users;
- Appropriate monitoring for privileged accounts to understand normal behaviour and alerts for unusual or suspicious account activity;
- Appropriate password complexity;
- Monitoring password monitoring and review processes so that passwords were encrypted, undertaking regular password usage audits and security assessments of tools used to access or query important data sets;
- Proper security monitoring processes to detect and respond to security incidents in a timely manner, including review of all security alerts, clearly documented guidance and procedures for escalating security alerts, regularly reviewing work of first level alert review team, and configuring volumetric alerts for large or abnormal volumes of data;
- Appropriate security assurance testing, including annual penetration testing, internal audits, and internal control effectiveness testing;
- Proper application controls for critical servers; and
- Effective contractor assurance, including regular audits, inspections or testing for compliance and ensuring clarity in the terms of contractor agreements and that the roles and responsibilities are clear where responsibilities for implementing, or assisting with the implementation of, security controls are outsourced.
Although the trial date is yet to be set down, the Concise Statement provides useful guidance in what the OAIC considers to be those ‘reasonable steps’ needed to be taken by a business such as Medibank. Should the Federal Court take a similar view, it is hoped that this guidance may assist other businesses in determining the level of cyber security measures needed to be implemented in their own businesses to remain compliant with the law. As the law continues to evolve in this area, we encourage businesses to remain vigilant and proactive in reviewing own their cybersecurity systems as well as their own response systems in case of data breaches, and strengthening weak spots where necessary to ensure the personal information of customers are protected.
This has become all the more important since the implementation of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) in December 2022, which increased penalties for serious or repeated breach of privacy by a corporate body to the greater of:
- $50 million
- Three times the value of any benefit obtained through the contravention
- If the value of the benefit obtained cannot be determined, 30 per cent of a company’s domestic turnover in the ‘breach turnover period’.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
[1] https://www.bennettphilp.com.au/blog/proposed-reforms-privacy-act-1988
[2] https://www.bennettphilp.com.au/blog/privacy-spotlight