ODMOB Law

ODMOB LAWYERS ABN:

81 141 521 571

9/30/2015

Edition 2015 Volume 3

Part 1

Security and Privacy: Know Your Regulator

NEXT ISSUE

Introduction

Page | 1 On March 3, 2015, Richard

Bejtlich,

the

Chief

a new model in determining

Security

whether an IT system was

Strategist for Fire Eye Inc., in his

secure. His model is known as

submission to the US house

Time Based Security 2 , which

representatives stated1:

is formulated as follows:

The median amount of time from

an intruders initial compromise,
to the time when a victim learns

Security and Privacy

Know your Regulator
Part 2

It was intended that this issue

S t > Dt + Rt

would concern the Legality of

Where:

Penetration testing but the issues

of a breach, is currently 205 days,

St is the security time by

as reported in our 2015 M-

which a system can be

Trends report. This number is

successfully attacked.

better than our 229 day count for

raised in the Wyndham case took

precedent. The issues raised in
the Wyndham case will be dealt
with over 4 parts. Following this

2013, and the 243 day count for

Dt is the time it takes for

the Penetration testing issue will

2012.

the system to detect an

be released.

attack.

the security framework that has

He also stated that in most cases

the identification of the intrusion

Rt is the time it takes for

is not internally generated but

the system to react to that

through some third party like

attack

the FBI. The impact of this is that

countermeasures to such

on average an intruder has

attack.

nearly 7 months of undetected

access to a system in order to
explore,

pilfer

and

cause

financial harm to the victim. In

1999, Winn Schwartau proposed
1

http://energycommerce.house.gov/
hearing/understanding-cyberthreat-and-implications-21st-

and

provide

been

implemented

organisation.

by

the

Obviously, the

longer it takes to detect an

intrusion the longer it takes to
react and thus the longer the
perpetrator has to cause havoc.

If an organisation is unaware for

Consequently,

such a long period that their

Detection

system has been compromised

imperative tool (among other

then clearly there is an issue with

technologies)

century-economy <accessed 18
September 2015>
2 Schwartau, W., Time Based
Security: Practical and Provable

Methods to Protect Enterprise and

Infrastructure, Networks and
Nation, Interpact Press, 2001.

Intrusion

Systems
in

are

an

order

to

operate a business in modern

government as much has been

recent inventions and business

society, that uses technology

discussed previously by many

methods which must be taken for

such as computers that are

other authors and government

the protection of the person, and for

connected to the internet.

bodies.

Further, for this part

securing to the individual what

only the obligations noted will

Judge Cooley calls the right "to be

apply equally to the three tiers of

let

Government. Consequently, this

Instantaneous

note will primarily discuss NGO

newspaper enterprise have invaded

(Non-Government

the sacred precincts of private and

Page | 2 There are many ways by which a

perpetrator can take advantage
of a vulnerability. It is not the
purpose

of

this

note

to

extrapolate the various threats in

existence. The purpose of this
note is to provide some guidance

Organisations)

that

operate

within Australia.

alone

[citation

domestic

life;

omitted]

photographs

and

and

numerous

mechanical devices threaten to make

good the prediction that "what is

to corporate Australia as to the

APP Entities

various legislative obligations

In 1890, Warren and Brandies in

that require corporations to take

their seminal paper in dealing

reasonable

with The Right to Privacy 4

The advent of the internet has

commenced as follows:

made the issues raised by the

steps

in

the

circumstances to secure their

digital assets from unauthorised
access.

These obligations vary according

to a number of criteria. It is not
possible in this short note to
cover the field as to all legislative
obligations; consequently this
note will try to initially address
the following:
Is the organisation an APP
Entity as defined under the
Australian Privacy Act
(1989) Cth (as amended)?
If it is what security
obligations
does
that
impose
upon
the
organisation?

hat the individual

shall
have
full
protection in person
and in property is a
principle as old as the
common law; but it has been
found necessary from time to
time to define anew the exact
nature and extent of such
protection. Political, social,
and economic changes
entail the recognition of new
rights, and the common law,
in its eternal youth, grows to
meet the new demands of
society.

whispered in the closet shall be

proclaimed from the house-tops."

learned

Harvard

Professors

even more disturbing.

The

internet has obviously advanced

the standard of living of most
Australians and for that matter
most if not all western societies,
but at the same time there has
been a hidden cost, which in
recent times has become more
prevalent.

The

rapid

of

new

advancement
technologies
legislative

is,

from

position,

outstripping the law. Just as the

airplane made the world a small
place to visit, communications

These words are as prophetic

technologies has decreased the

today as they were in 1890. In

size of the world to adjoining

Further this note will not deal

1890, the learned Harvard Law

property allotments. It is now

with any of the three tiers of

Professors were concerned about;

possible through OTT (Over the

See McCullagh, A.,

Management Responsibilities in
Protecting of Information Assets
An Australian Perspective, First

Monday Online Peer Review

Journal.

http://firstmonday.org/ojs/index.ph
p/fm/article/view/973/894
<accessed 23 Sept 2015>
4 4 Harvard L.R. 193 (Dec. 15, 1890)

Top) technologies to facilitate

will tell. The important point is

customers in order to target

video conferencing with little or

that all organisations hold PII

market.

no lag time.

Peer to Peer

whether it be employee data or

technologies

customer data otherwise they

communications
Page | 3

such as SKYPE has made this

possible, so that anyone with an
internet connection can have a
relatively cost effect discussion
with someone located anywhere
in the world provided both
parties have a similar connection
with appropriate bandwidth.

could not operate.

At the same time the criminal

sector of society has targeted
the

multitude

of

data

Of course that advantage for

repositories containing such PII.

large organisations to collect

Their principle objective is to

consumer details is that it allows

skim the data for identity theft

these

to

purposes or to transact the data

interrogate/data mine PII so as

to other parties who wish to

to

undertake

organisations

increase

their

economic

identity

theft

prosperity. Target advertising is

activities. As a result of these

now the norm.

Organisations

activities the implementation of

technological advancement is

like Google and its subsidiary

privacy principles has risen as

that there has been a massive

Double-Click

has the obligation to secure PII

increase in the collection of

monitor/collect every end-users

Personal

activity and commercialise that

The

dark

side

to

this

Identifiable

Information (PII).

information to online retailers 6 .

PII does not have to be restricted

to an organisations customer
details as it will also include
employee details.

This was

recently brought to light in the

substantial attack on the US
Governments

Office

Personnel

Management

employee

data

base

of
which

contained current, former and

prospective employee details5. It
is now suspected that the attack
was

designed

now

to

gain

this

information for possible backmail future leverage at some

All retailers keep data on the

customers so that they can target
market to them.

Amazon

monitor what items a person

may peruse even if they do not
purchase so that when the
potential

customer

returns

Amazon will display items that

match the prior perusal activity.
Further,

Amazon

will

also

display items that match other

On 23 June it was reported in the

press that there had been a
substantial cyber-attack on the US
Governments data base that
contained details of current, former

The law may not progress as fast

as

the

advancement

of

technological innovation, but in

recent times legislators have
enacted

various

legislative

regimes to obligate collectors of

PII to secure their collected
information and to only collect
the information for a stated
purpose and where reasonably
possible with the consent of the
relevant persons.

customers purchasing activity if

In

it is similar to you.

In other

Parliament enacted the Privacy

words, Amazon builds a profile

Act (1989) Cth [the Privacy Act]

of likes and activity on all

as part of Australias compliance

1989

the

then

Federal

with International Covenant on

time in the future. Only time

from unauthorised access.

Civil and Political Rights and to

and prospective employees.
http://edition.cnn.com/2015/06/22/p
olitics/opm-hack-18-milliion/
6 See Microsofts Privacy Statement
that is nearly 35 pages long and

details the collection mechanisms

utilised by Microsoft in its business
operations.

Page | 4

give effect in part to the OECD

manner.

Guidelines on the Protection of

principle is APP 5, which details

Privacy and Transborder Flows

the matters that an organisation

of Personal Data. The Privacy

has to inform individuals about

Act 7 is basically the principal

at the time of, or as soon as

legislation covering privacy in

practicable after, the collection

Australia

all

of their PII. The combination of

Australian Federal Government

these two principles has been

agencies, the Governments of

interpreted to mean that all APP

the Australian Capital Territory

Entities

and Norfolk Island and their

appropriately

various agencies, as well as in

published Privacy Policy that

the

corresponds to the obligations

as

it

private

reporting

covers

sector

agencies

corporations

that

credit

Aligned with this

must

out

have

an

drafted

and

all

set

in

have

an

Consequently,

the

APPs.

all

privacy

public

annual revenue in excess of

policies

$3,000,000.

representation of how an APP

The

Privacy

substantially

Act

amended

was
with

are

and

Entity will collect, store, use,

secure and destroy all PII.

such amendments coming into

Privacy Policies now have a

effect on 12 March 2014. The

central position in the Australian

amended Privacy regime details

Privacy regime. Further, under

the APPs (Australian Privacy

the

Principles) which govern both

associations

the public and private sector.

privacy

An APP Entity includes the

which can be reviewed and

same entities noted above with

possibly registered with the

the retention of the exclusion of

Office

the

Information

small

businesses whose

revenue is less than $3,000,000.

Pursuant to the APP 1 an APP
Entity is required to handle PII

Privacy

Act,

industry

may

develop

or

practices,

codes

of

the

Australian

Commissioner

(OAIC). If a code of practice is

accepted for registration then it
will

bind

all

organisations

in an open and transparent

In addition to the Federal Privacy
Act each of the Australian States
has enacted corresponding privacy
obligations but they only apply to
State Government agencies or
Government Owned Corporations.
7

within the relevant industry

sector identified in the code.
Even though the codes are
registered with the OAIC, the
Privacy Act is administered by
the Privacy Commissioner (the
Commissioner),

who

is

integrated into the OAIC. Even

though

the

Commissioner

administers the Privacy Act, it is

the OAIC that monitors and
enforces

compliance.

This

causes some confusion as the

Commissioner

is

able

to

investigate breaches of the APPs

either on its own volition or
pursuant to a complaint made.
If as result of an investigation the
Commissioner believes a civil
penalty should be imposed then
a Commissioner will need to
bring an action in the Federal
Court 8 .

The Commissioner is

also permitted to seek injunctive

relief in certain circumstances.
The

monetary

amount

of

penalties are $180 per penalty

unit.

The maximum civil

penalty under the Privacy Act

1988 (Cth)

is

$360,000 for

individuals and $1.8 million for

companies. As far as the author
is aware, no civil penalties have

In Australia the regulatory agency

cannot simply impose a civil
penalty as this would make the
agency not only the gatherer of
evidence but also the arbiter of fact
and the issuer of the penalty.
Consequently, the relevant
8

regulatory authority must obtain

court approval for any imposition
of a penalty. The Federal Court
can at its discretion alter the
amount any regulatory authority
may seek by way of a civil penalty.

Page | 5

to date been imposed under the

Unlike the United States of

result in a negative impact upon

Privacy Act, but this may not

America there are no mandatory

market/consumer

continue, especially with the

data

disclosure

On the other hand, if there has

increasing incidents of data

obligations imposed upon APP

been a data breach, how can

breaches in Australia .

Entities in Australia. The current

consumers protect themselves

Federal Government has stated

against identity theft activity if

that

they are unaware of the breach

mandatory data breach scheme

in the first place? The average

by the end of 2015 and in relation

cost per consumer in relation to

to such legislation there will be a

consultative draft available for

estimated to be in the vicinity

comment.

of

APP 11 requires an APP Entity

to take steps that are reasonable
in the circumstances to protect
PII

that

it

unauthorised

holds
access,

loss and interference.

from
misuse,
Further

APP11 required an organisation

to

destroy

or

de-identify

personal information that it no

longer requires either for its own
use or pursuant to any other law
such as Taxation purposes or
under the Companies Act. The
term

destroy

has

been

interpreted to mean in the

context of computer related data
as to remove in such a manner
that the relevant data cannot
later be reconstituted for later
access or use

10

Hence, the

impact of APP 11 is that an APP

Entity

must

implement

appropriate security measures

to ensure that the risk of a data
breach is minimised in the
circumstances.

breach

it

will

introduce

In

making

announcement
Attorney

the

General

indicate

Federal
did

whether

this

For Example, it was reported in

the press that Woolworths was
recently asked by the OAIC to
explain the alleged accidental
disclosure of the private details of
1000 Woolworths customers.

breach

$2,029.

has

This

been
amount

comprises $1, 259 in fraudulent

not

charges and approximately $770

such

in legal fees but excludes the

mandatory breach notification

personal

scheme would be imposed upon

expended

all APP Entities or would be

fraudulent records impacting

restricted to those organisations

the victim11.

that are subject to the Data

Retention Act (2015) Cth. It is
likely that many organisation
will

lobby

the

Federal

Government to only require data

breach notifications to occur in
the strictest circumstances. The
rational for this is that Corporate
Australia especially publicly list
corporations have argued that
any disclosure of a data breach
could

have

devastating

negative impact upon the share

price of the corporation and

data

confidence.

http://www.computerworld.com.a
u/article/576266/oaic-seeks-detailswoolworths-privacy-snafu/
<accessed 23 Sept 2015>
10 Jei Jing et all v. CCom et all
[1992] FCA 325
11 Javlin Strategy and Research
2015 Identity Fraud Study

cost
to

of

20

correct

hours
any

These amounts only deal with

the cost to the consumer and
excludes the cost to the actual
corporation that has suffered the
data breach in the first place.
The average cost to Australian
corporations

has

been

estimated to be US $133 per

compromised record or US
$2.61 million per corporation as
compared to the average cost in
the USA per record as being US
$217 or US $6.53 million per

https://www.javelinstrategy.com/n
ews/1556/92/16-Billion-Stolenfrom-12-7-Million-Identity-FraudVictims-in-2014-According-toJavelin-StrategyResearch/d,pressRoomDetail
<accessed 23 Sept 2015>

corporation. Irrespective of the

jurisdiction

there

is

substantial cost involved12.

The security obligation detailed
Page | 6 in APP 11 varies depending on
the circumstances under which
the APP Entity operates. The
AOIC has identified that the
following will be taken into
consideration as regards to the
surrounding circumstance as13:
the nature of the entity
holding
the
personal
information;
the nature and quantity of
personal information held;
the risk to the individuals
concerned if the personal
information is not secured;
the data handling practices of
the entity holding the
information;
the ease with which a security
measure
can
be
implemented.

The
above
noted,
the
circumstances are not an
exhaustive list and as such the
AOIC is able to take into
consideration other factors in
determining
whether
the
organisation under investigation
has taken such steps as are
IBM Ponemon Institute
Research 2015 Cost of Data Breach
Study Global Analysis.
http://www03.ibm.com/security/databreach/?&S_PKG=&ct=&jm=&S_TACT=&iio=BSEC&cmp=&cr=g
oogle&cm=k&csr=Unbranded|Sear
ch|Security+Services+Research+12

reasonable in the circumstances.

As yet, there have not been any
cases involving a contravention
of APP 11. The actual
terminology used in APP 11 is
such steps as are reasonable in
the circumstances. Similar
terminology can be found in
other legislation such as the
Corporations Act (2001) Cth in
relation to the responsibilities of
directors of a corporation.
Directors are required to take
reasonable steps to place
themselves in a position to guide
and monitor the management of
a company. The issue comes
down to what the term
reasonable steps actually
means. According to Middleton
J. in ASIC v. Healy 14 cited with
approval Zeeman J.:
First

it

is

necessary

to

ascertain what steps in fact

were required to be taken by the
Company in order to secure
compliance with the relevant
provision of s267. The test is
an objective test. It is then
necessary to ascertain what
steps reasonably ought to have
been taken by the respondent to
secure compliance. Again, the

+Awareness|ROW|3571&ccy=us&
ck=cost%20of%20data%20breach&c
s=b&cn=Data_breach&mkwid=s13i
iHLhidc_50705364711_43246d30503_
<accessed 23 Sept 2015>
13 Office of the Australian
Information Commission, Guide
to Information Security,

test is an objective test but by

reference to the particular
circumstances of the case.
Since the test for compliance is
an objective test the state of
mind of management is not a
relevant consideration as to
whether reasonable steps have
been taken. The responsibility of
ensuring the security of PII will
fall upon the management of the
APP Entity and as such it is their
responsibility to ensure that
appropriate security measures
are

implemented

in

the

protection of PII.

Conclusion
Privacy and security in the
commercial sector now go hand
in hand. Any organisation that
is an APP Entity and which the
collects, stores or processes any
personal information must have
a carefully drafted privacy
policy that corresponds to the
security
framework
implemented.
If there is a contravention of
either APP then it is possible that
the regulator (OAIC) could
commence an investigation and

reasonable steps to protect

personal information (2013)
http://www.oaic.gov.au/privacy/pr
ivacy-resources/privacyguides/guide-to-securing-personalinformation <accessed 19 Sept
2015>
14 [2011] FCA 717

possible proceedings if it believe

a civil penalty is in order.
It is recommended that AAP
Entities should have their
Page | 7 privacy policy reviewed by a
solicitor with the relevant
expertise and at the same time
have their security framework
audited so that they do not
contravene the Privacy Act.

Next Issue
The next release will extend the
issues

raised in the release in

particular if the organisation is a

trading corporation or operates
its business via the internet then
the Australian Competition and
Consumer

Commission

will

have jurisdiction and as such

care needs to be taken as regards
to the content of the published
privacy policy.
If anyone wishes to receive this
further issues of this newsletter
then just contact Dr McCullagh
(see contact details below) in
order to subscribe.

Dr Adrian McCullagh Ph.D.,

LL.B. (Hons), B.App, Sc.
(Computing)
Mob: 0401 646 486
Page | 8

Ajmccullagh57@gmail.com

Ajmccullagh57@gmail.com

PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue
then they should seek appropriate legal advice. The author makes no warranty as
to correctness of anything contained in this paper. This paper is the sole opinion of
the author and must not be relied upon as legal advice. Every situation is different
and as such proper analysis must be undertaken when seeking a legal opinion.
Consequently, the author takes no responsibility for any errors that may exist in this
paper and certainly takes no responsibility if any reader takes any actions based on
what is (expressly or by implication) contained in this paper. All readers take full
responsibility for anything they may do in reliance of anything contained in this
paper.