The Federal Communications Commission (FCC) has obtain a USD$595,000 settlement from Cox Communications (the third largest cable company in the United States) for a privacy breach.
In August 2014, a hacker gained access to Cox systems containing customers’ personal information, by pretending to be from Cox’s IT department and convincing a Cox customer service representative and a Cox contractor to enter their account details into a “phishing” website controlled by the hacker. The Cox system in question did not have technical safeguards, such as multi-factor authentication, to prevent the compromised credentials from being used to access the personal information.
Cox will also be required to improve its privacy and data security practices by:
- designating a senior corporate manager who is a certified privacy professional,
- conducting privacy risk assessments,
- implementing a written information security program,
- maintaining reasonable oversight of third party vendors,
- implementing a data breach response plan, and
- providing privacy and security awareness training to employees and third-party vendors.
Link (FCC): FCC consent order
The UK Information Commissioner’s Office has fined Crown Prosecution Service (CPS) £200,000 for failing to maintain the security of recorded police interviews with victims and witnesses. The interviews concerned 31 police investigations, nearly all of which were on-going and of a violent or sexual nature.
CPS couriered unencrypted DVDs containing the videos of the police interviews to a private film company for editing. The film company used a residential flat as a studio. The studio was burgled and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password protected but unencrypted and the studio had no alarm and insufficient security.
The Commissioner considered that CPS failed to take reasonable steps to prevent the breach. On the facts, the Commissioner concluded that reasonable steps would have included:
- inspecting the film company’s premises to ensure that they were suitable for the editing of videos containing police interviews;
- having a guarantee that the unencrypted DVDs would be stored in a lockable cabinet;
- having a guarantee that any laptops containing the videos were encrypted by the film company; and
- provision had been made for the return or destruction/erasure of the DVDs/videos at the end of the case.
Link (ICO): Monetary Penalty Notice under the Data Protection Act 1998
The Information Commissioner’s Office has fined Pharmacy2U Ltd (UK’s largest NHS approved online pharmacy) BGP$130,000 for selling more than 20,000 customers’ personal data to marketing companies without their informed consent.
The Commissioner emphasised that Pharmacy2U:
- ought to have known that its customers had a reasonable expectation of confidentiality when using an online pharmacy, especially when the company’s own website described the service as “discreet and confidential”, and
- should have displayed a notice in a prominent position on its website which provided its customers with a simple way to opt out of the sale of their personal data to third party organisations.
Link (ICO): ICO’s Decision
The Office of Australian Information Commissioner has developed a draft Guide to Developing a Data Breach Response Plan. The Commissioner notes that the cost to an organisation for a data breach can be significant and implementing a data breach response plan can assist in mitigating these costs.
The data breach response plan should cover things like:
- a strategy for assessing and containing data breaches – this includes the actions the response team should take in the event of a breach or suspected breach,
- a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur,
- the reporting line if staff do suspect a data breach, including who needs to be informed immediately,
- who is responsible for determining which other external stakeholders should be contacted (for example, law enforcement agencies, regulators and the media),
- recording data breaches – the organisation should consider how to record data breaches, including those that are not referred to the response team, and
- a strategy to identify and address any weaknesses in data handling that contributed to the breach.
While the Guide is not legally binding, the Commissioner has indicated that the preparation and implementation of a data breach response plan will likely to satisfy an organisation’s obligation under the Australian Privacy Act to take reasonable steps to protect the personal information that the entity hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
The closing date for comments is Friday 27 November 2015.
Link (OAIC): Guide to Developing a Data Breach Response Plan
In Australia, Kmart has engaged IT forensic investigators after personal details of its online customers were hacked. Kmart says no customer credit card details have been compromised. However, customers’ names, email addresses, home addresses, telephone numbers, and product purchase details were accessed in an “external privacy breach” early last month. Kmart has also contacted the Australian Privacy Commissioner and Federal Policy to help with the investigation.
In the US, Experian, one of the largest data brokers and credit agencies in the world, has also been hacked. Information from the hack includes names, addresses, and social security, driver’s license and passport numbers. The licence and passport numbers were in an encrypted field, but Experian says that encryption may also have been compromised.
Link: Kmart (Sydney Morning Herald) and Experian (The Guardian)
In a recent article at Outlaw.com, Laura Gillespie has a reminder on the usefulness of legal privilege in investigating and managing data breaches:
When data breach incidents occur and businesses begin internal investigations they are unlikely to know precisely what conclusions they will reach. It is clear that documents created following a serious, adverse incident could have far reaching implications in any subsequent litigation or prosecution
She goes on to recommend:
- Having a pre-prepared plan (and a pre-selected team) for investigating and managing data breaches
- Ensuring only the designated team can access documents relating to investigation/management of a breach
- Limiting the extent to which these documents are circulated to any broader group
Link (Outlaw.com): Data breach management – making use of legal privilege
The US Securities and Exchange Commission and investment adviser R.T. Jones Capital Equities Management have agreed to settle charges that the latter failed to establish the required security policies and procedures in the lead up to a data breach that compromised the personally identifiable information of approximately 100,000 individuals.
As part of the SEC’s investigation, it found that R.T. Jones Capital did not have any written policies and procedures designed to protect customer information. Further, R.T. Jones Capital did not conduct periodic security risk assessments, encrypt personally identifiable information stored on a third-party server, implement a firewall, or maintain a response plan for potential security incidents.
Link: SEC Press Release