'

OAIC accepts TeleChoice's response to shipping container data breach

TeleChoice has made a binding commitment to the information commissioner to overhaul its data security practices, implement a data breach notification response plan, and train its staff in privacy processes.

TeleChoice has had an enforceable undertaking accepted by the Office of the Australian Information Commissioner (OAIC), promising to review its data security practices after the mobile services reseller's customer information was found in a shipping container on publicly accessible land.

The enforceable undertaking [PDF] will see TeleChoice, which resells Telstra's 3G network, provide its customers with reimbursement for a 12-month credit monitoring service in case they become victims of fraud as a result of the breach; review its security of customer information; formulate written procedures for the storage and destruction of personal information; consult with the OAIC and a third party to review information-handling practices; regularly train its staff in privacy processes; and develop and put into practice a data breach response plan that notifies potentially affected individuals within two weeks.

In April, the information of those who were customers of TeleChoice before March 31, 2013 -- including signed contracts and copies of identification documents -- was found in a shipping container in Victorian bushland where it had been stored for almost two years awaiting destruction.

While TeleChoice had checked on the container once a month, it had not physically secured the private land where it was stored, and the container was consequently broken into in early April, breaching the customers' personal information.

The information was thereafter destroyed before the company could determine which customers had been affected by the data breach.

Australian Information Commissioner Timothy Pilgrim, who was reappointed to the position in August, initiated an investigation into the matter in May, taking into account whether TeleChoice had taken reasonable steps towards securing and destroying the information. The company admitted that it had not complied with these obligations.

"I appreciate TeleChoice's cooperation with my office during this investigation," said Pilgrim on Tuesday.

"This incident demonstrates the importance of businesses securing the personal information that they hold. Physically locking a container that holds personal information is not sufficient if the container is publicly accessible and unmonitored for extended periods."

The OAIC will continually monitor TeleChoice in order to ensure that it fulfils the processes outlined in its enforceable undertaking, and Pilgrim has also advised other service providers to work towards greater security practices.

"I would encourage all businesses to review their customer records storage. Australian customers expect that organisations will handle their personal information securely, and are entitled to this under the Privacy Act," Pilgrim said.

Pilgrim has historically taken a hard line against companies that cover up data breaches, saying last November that the concealment of a data breach "will not be looked well on by our office".

"I am disappointed when I hear comments that there is an attitude within some organisations of waiting for the [data] breach to happen, waiting for the complaint to be made, and, equally concerning, waiting to see an organisation taken to the courts for a civil penalty -- before taking the appropriate steps to manage and protect their personal information holdings. I personally hope this is just gossip," he said last year.

Pilgrim had fought for the inclusion of a provision whereby data-breach notifications would be mandatory should a leak of the data occur under the mandatory data-retention legislation that came into effect earlier this month.

"By creating a large repository of personal information, the proposed data-retention scheme increases the risk and possible consequences of a data breach," Pilgrim stated in January.

"This is because the challenge of effectively securing that information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure will become more difficult as technology evolves."

He argued that telcos already receive a high number of complaints, with 13 investigations having taken place since he took the office in 2010 -- such as when Telstra made the details of 734,000 customers accessible online in 2011.

Prior to its passing, Pilgrim also attempted to argue that the two-year retention period contained within the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 be assessed against the risk to privacy of storing such a large amount of personal data. He pointed out that 90 percent of investigations relying on retained data only use data that is less than one year old.

"If a decision is made to implement a scheme such as this which is going to require, as I said, the holding or the collection and retaining of huge volumes of data and personal information about people for a long period of time, we need to look at what else we can put in place to do our best to secure that information."

OAIC has also been creating a "Guide to privacy regulatory action", which would further describe the office's powers, with an exposure draft having been released for scrutiny and submissions.