Telstra 'staff error' continues plaguing SSU compliance

Telstra staffers auto-populating email addresses or not checking recipients before hitting send were responsible for three of the telco's 2016 breaches of its SSU, the ACCC has said.
Written by Corinne Reichert, Contributor

While Telstra has continued improving its Structural Separation Undertaking (SSU) compliance, the regulator has found that several breaches occurred throughout 2016 due to "staff error" in sending emails to the wrong recipients.

Telstra's SSU FY16 compliance report [PDF], tabled by the Australian Competition and Consumer Commission (ACCC) on Thursday, found that the breaches during the most recent financial year related to Telstra's information security obligations, price equivalence and transparency obligations, and migration plan obligations.

Telstra's information security obligations prevent it from disclosing information its wholesale arm gains to its retail arm.

"The most common SSU compliance issue during the year was Telstra's failure to prevent unauthorised disclosure of protected information," the compliance report said.

"These issues arose as a result of a number of isolated incidents that occurred due to staff error. In each of the three reported instances, Telstra took action to contain the risk and sought to address the issue through coaching and ongoing training."

There were three breaches reported by Telstra during the year, with two relating to protected information being disclosed to retail business unit staff and one to a network services business unit employee.

"All three breaches were due to emails sent in error," the ACCC said.

As a result, the telco will "encourage staff to turn off auto-populating and suggested names in Outlook", encourage employees to seek legal or management advice prior to distributing emails to non-wholesale business groups, and "continue emphasising the importance of checking email recipients before hitting 'send'".

Telstra also attributed its migration plan breaches to "human error" or "data quality issues"; it breached these obligations on several occasions during 2016 when it provided services to premises that had been disconnected for National Broadband Network (NBN) migration, or connected premises with services that were not allowed under the telco's cease sale obligations.

Lastly, Telstra breached its price equivalence and transparency obligations twice by not updating its rate card to reflect the regulator's final access determination (FAD) fixed-line pricing -- which Telstra was still fighting in Federal Court until last month -- until five days after the due date, and by not updating its rate card to reflect the ACCC's backhaul pricing FAD until 40 business days after the due date.

Similarly, last year the ACCC reported that the ACCC had found several breaches of the SSU due to human error and failing IT systems. The 2015 breaches related to disclosing to its retail business confidential or commercially sensitive wholesale customer information obtained while supplying regulated services; failing to maintain separation between its wholesale, retail, and network businesses; failing to comply with transparency reporting requirements; and blocking the process of service orders for migration to the NBN.

As a result, an independent review by Ovum of Telstra's IT systems was kicked off in March 2016, with Telstra in October announcing the completion of the IT overhaul and infosec remediation program.

The program involved Telstra reviewing which staff members have access to what information, in order to ensure employees working in the retail business had no access to NBN wholesale customer information.

Twenty-four of the 42 IT systems involved in the review were evaluated over a period of nine weeks, with Telstra implementing a "clear reporting and appropriate corporate governance model with senior management oversight" as a result.

The SSU governs how Telstra's wholesale business is to function during the rollout of the NBN, and committed it to structurally separating its wholesale and retail businesses by 2018. The document was accepted by the ACCC in February 2012.

Every year, the ACCC must look into whether Telstra has kept to its SSU commitments until the NBN rollout is complete and all services have been migrated from the Telstra fixed-line network to the NBN.

Editorial standards