You might recall that in October last year First State Super (FSS) responded to a report from one of its members that he was easily able to access other members’ statements, because the website used a “direct object reference” style of programming. This is a very simple way of extracting data from a database, but it means that the “key” is in the URL, and it is easy for a user to change the key simply by typing in the URL bar. This happened in 2000 to the ATO, which is used the ABNs as the key in the URL. According to the Sydney Morning Herald, FSS responded with legal threats against the member. The technology community expressed outrage however, as the security breach apparently was due to direct object reference coding.
The Privacy Commissioner conducted an own motion investigation and recently reported that while FSS had not breached National Privacy Principle 2, it had breached Principle 4.1. FSS had outsourced its IT systems to a third party, Pillar, who had conducted over 200 security tests, but had not tested the website in question. The Privacy Commissioner concluded that there had been a breach of Principle 4.1 due to the limited testing, leading to a failure to have adequate security measures in place.this
There are a few lessons from this case. The first is that outsourcing IT by you or your clients will not protect one from a finding of breach due to a failure by the outsourcing company. While you may obtain warranties and indemnities from the IT company, this will not protect you from reputation damage.
The second lesson is to ensure that you do have adequate warranties and indemnities from the IT company. You should also ensure that such insurance cover as is available is held by the outsourcer so that the indemnities are actually worth something.
The third lesson is to become involved in the security regime, and not merely leave it to the contractual position. This will probably involve gaining access to a great deal of confidential information and intellectual property held by the IT company. While there may be reasonable resistance to this, it should not deter you from satisfying yourself that your or your clients’ personal information is adequately protected. In particular, a suitably qualified person should understand the technology used, the ownership of the hardware and software, the testing regime and be able to understand the results of testing. Bear in mind that Pillar had conducted over 200 tests, but had failed to test the system that ultimately failed.
Depending on the nature of the system outsourced, it may be worth treating the systems as if they were an asset during the due diligence. If software was the primary asset being purchased you would want to understand the commercial value based on quality, security, ownership of intellectual property and the ability to adequately maintain the software.
A final lesson is in how FSS ultimately responded to the event. The Privacy Commissioner publishes a data breach notification guide, and FSS carried out many of the steps in the guide. These included: understanding the extent of the breach, resolving the flaw immediately, contacting the police, seeking assurance from the member that the information had been destroyed, engaging a penetration testing consultant, and updating policies and processes. While some components of the response were probably a bit wanting, they showed sufficient effort that the Privacy Commissioner ceased his own motion investigation. They also no doubt had the desired effect of ensuring that the member did not carry out the same activities again.