eBay argued against stronger privacy breach penalties

Just prior to suffering its own massive customer privacy breach, eBay had argued strongly against the need for statutory responses to privacy breaches.

As eBay hastily informs its customers of its massive privacy breach, the company told the Australian Law Reform Commission that stopping reputation damage was enough of an incentive to protect customer data, and that statutory action against privacy breaches was unnecessary.

Overnight, eBay announced that it had been the victim of a "cyberattack" that saw its employee login credentials compromised between late February and early March, allowing access to eBay's corporate network, and the company's customer database containing its users' names, email addresses, physical addresses, date of births, and their encrypted passwords. eBay first became aware of the issue around two weeks ago.

The company today has begun asking its users to reset their passwords, but has said that there was no evidence at this time that there had beeen fraudulent account activity on eBay, however the information that could be obtained from the database could potential be used for identity fraud.

While eBay will be dealing with the ramifications of the breach over the coming weeks and months, the online retailer has argued strongly against statutory penalties being imposed on companies that breach their customers' privacy.

The Australian Law Reform Commission was tasked last year to review serious invasions of privacy in the digital era, and potential statutory causes of action against companies or individuals in cases of privacy breaches.

In a submission (PDF) to the inquiry, eBay's acting head of corporate affairs Sassoon Grigorian said that given the company's own approach to privacy, such an action "need not be considered at this point".

"Over the years, we have learnt that one of the keys to success is engendering consumer trust and confidence. Confidence is in great part built through consumers trusting that businesses will adhere to certain rules for protecting individual privacy; both those rules required by statutory principle and those followed by sound business practices. Trust in our privacy protections has enabled eBay to be successful in growing our businesses," Grigorian said in a submission in November.

"eBay Inc. recognises the responsibilities which come with handling the personal and private information of both individuals and organisations, requires all of its companies to adhere to strict standards of behaviour. We have sought to be a leader in the field of handling personal information."

Grigorian said that eBay has corporate rules in place to "adequately protect our users' personal information regardless of where the data resides."

Customers should be notified when there is serious risk of identity theft or fraud for financial gain, Grigorian said, but added that notification should not be required where potential harm is "nominal".

Today eBay said that the two-week delay in informing customers was a result of the company waiting until it had all the facts.

In its submission to the ALRC, the company said existing penalties in the Australian Privacy Act were sufficient to cover serious data breaches, and the reputational loss was "the most significant incentive" for organisations to prevent breaches.

Comment has been sought from eBay.

Following news publication of the privacy breach, users have reported difficulty accessing their password reset page due to the high traffic on the eBay website as a result of the breach.