The Privacy Commissioner’s recent investigation of dating website operator, Cupid Media, provides useful guidance as to the level of data and IT security that is now required.
Media reports that the Gold-Coast-based company’s databases had been hacked prompted the Commissioner’s “own motion” investigation of its privacy practices.
The investigation confirmed that around 254,000 users had their personal information disclosed to hackers as a result of Cupid Media’s data breach.
The Privacy Commissioner found Cupid Media failed to take reasonable steps to secure the personal information of its users and to destroy or permanently de-identify personal information that it no longer required.
The investigation was based on Cupid Media’s compliance with NPP 4, as the data breach took place prior to the March 2014 introduction of the new Australian Privacy Principles (APPs). However, the Commissioner’s findings are just as relevant under the APPs. The equivalent APPs relating to data security (APP 11.1) and destruction or de-identification of personal information (APP 11.2) continue to import a “reasonable steps” test.
What amounts to “reasonable” security steps will depend on the circumstances, including the nature of the personal information that an organisation holds and the likely impact of unauthorised access to that personal information.
For Cupid Media, the Commissioner found that more stringent steps were required to protect the privacy of its users’ personal information on the basis that it held particularly sensitive information (including race, religion and sexual preference).
It sounds simple, but organisations need to have a thorough understanding of the nature of the personal information held and the implications for individuals if the privacy of that information is compromised.
The hacking activity that caused Cupid Media’s data breach arose was fairly basic - a result of a vulnerability within the company’s server platform. The hackers were able to run SQL queries against the company’s databases and access user data.
Despite this, the Commissioner found that Cupid Media’s information and patch management, and its testing and monitoring processes, were “reasonable” as required under NPP 4.1. However, Cupid Media should have taken more stringent security steps given the sensitivity of the information that it held about its users. In particular, the Commissioner found the storage of users’ passwords in plain text was not sufficient under NPP 4.1.
The Commissioner highlighted in his decision that good information management tools include having in place:
The Commissioner’s findings also confirm that information security extends beyond storage – organisations must consider destruction and de-identification obligations under APP 11.2.
A privacy compliance program should include systems and processes to identify data that is no longer required and to destroy (or put “beyond use”), or otherwise de-identify, that personal information. Not over-collecting personal information in the first place will also help reduce the administrative burden associated with APP 11.2 compliance.
Organisations should have a clear data breach plan in place that sets out a strategy for identifying and remedying the source of a data breach.
The OAIC’s Guide to Information Security (to which the Commissioner referred as part of the Cupid Media investigation) recommends that a breach plan should include a strategy for assessing and containing data breaches and identify key responsible personnel, procedures for determining whether to notify of the data breach.
Although the Guide is not legally binding, it represents a reference point for “privacy best practice” for the purposes of meeting APP 11 requirements.
The Commissioner particularly noted Cupid Media’s “collaborative and cooperative approach” to the investigation and its significant remedial steps once it became aware of the data breach. This included implementing a data breach response plan, hashing all user passwords with a unique “salt” and reviewing best practice for data storage and privacy practices generally.
Cupid Media also notified the affected individuals and encouraged resetting of passwords. Whilst not mandatory, notification is increasingly a common component of a good data breach response plan and accords with the OAIC’s recommended best practice (see OAIC’s Data Breach Notification Guide).
Given the potential for significant reputational damage from a well-publicised data breach, not to mention the time and cost involved in responding to an investigation by the Privacy Commissioner and potential fines, the Cupid Media decision is a reminder of the importance of implementing and maintaining effective and “best practice” information security practices.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.