Fix your security, don't cover up breaches: Privacy commissioner

Read the new Privacy Regulatory Action Policy, says Australia's Privacy Commissioner Timothy Pilgrim. Follow its advice, or get into trouble.
Written by Stilgherrian , Contributor

Australian Privacy Commissioner Timothy Pilgrim has issued a strong warning to companies that attempt to cover up data breaches, or have failed to take a proactive approach toward ensuring that personal data is kept secure.

Attempts to conceal a data breach "will not be looked well on by our office", Pilgrim told the annual summit of the International Association of Privacy Professionals ANZ (iappANZ) in Sydney on Monday.

"I am disappointed when I hear comments that there is an attitude within some organisations of waiting for the [data] breach to happen, waiting for the complaint to be made, and, equally concerning, waiting to see an organisation taken to the courts for a civil penalty — before taking the appropriate steps to manage and protect their personal information holdings. I personally hope this is just gossip," Pilgrim said.

The Office of the Australian Information Commissioner (OAIC) has released the government's Privacy Regulatory Action Policy, which explains the powers available to the privacy commissioner and formalises the approach he will take when using these powers.

The OIAC is also working on a "Guide to privacy regulatory action", which gives a more detailed explanation of how it will exercise each power. An exposure draft has been released for comment. A new guide to securing personal information, an updated version of the Guide to Information Security, is also in the pipeline.

Consumers have become aware that "privacy has become an inherent part of everything they do", Pilgrim said. The massive Target data breach in the US, and the resulting impact on the company's financial performance and senior management, should be "sufficient warning" that managing the privacy risk is important.

"If they're not, then I hope you've read my recent decisions, listened very closely to what I have been saying about our regulatory approach, and that you're planning to read our Regulatory Policy very closely — because not taking the right approach to managing privacy appropriately will not put you in good stead in the event I undertake an investigation of your organisation," he said.

Pilgrim stressed that it's an "absolute necessity" to design information security measures with the human factor in mind.

"There is always the chance of insider risk, of deliberate mishandling, but even more likely is that someone will make a mistake. Your staff are human, and humans make errors. Design your security measures for that eventuality... We have seen a number of instances where staff have had access to information they did not need, which has resulted in mishandling of personal information," he said.

"If your systems and process do not adequately address known privacy risks, then that is an accident waiting to happen," Pilgrim said.

One example of this was the data leak from the Department of Immigration and Border Protection, when around 9,500 people's personal information was available for download on the department's website. The OAIC is now dealing with more than 1,600 individual complaints resulting from this one breach.

Some of those complaints were received in the 2013-14 financial year, and contributed to a 183 percent increase in complaints over the previous year. But even if the complaints relating to the Immigration breach and another significant breach are omitted, the OAIC still saw a 100 percent increase in complaints.

"While there's a degree to which this is bad — obviously it would be great if there was a drop in privacy issues and a related drop in complaints — I also see this increase in complaints as a positive. People are increasingly more aware of their rights, and that they are prepared to exercise those rights," Pilgrim said.

Editorial standards