Privacy Commissioner releases findings on Telstra mailout error
Whenever the public are in danger of having their credit file tarnished due to data breaches which can result in identity theft, it is important to warn them.
Recent news from the OAIC (Office of the Australian Information Commissioner on a botched Telstra mailout has come forth.
The OAIC today released the findings of its investigation into the Telstra
mailing error which resulted in around 60,000 Telstra customers’ personal information being sent to other customers.
Australian Privacy Commissioner, Timothy Pilgrim opened an investigation after Telstra notified him of the incident in October 2010.
Mr Pilgrim found that while Telstra did breach the Privacy Act in terms of disclosing personal information of its customers to a third party, it was not due to any failings of the security of its system, but simple human error.
The investigation revealed that Telstra had a range of security measures in place to protect customer personal information involved in mail campaigns. These measures include privacy obligations in agreements with mailing houses, privacy impact assessments at the outset of mail out initiatives, and procedures to ensure staff handle personal information appropriately during mail campaigns.
“In this instance, taking into account the range of measures Telstra has in place for mail campaigns, I consider that the one-off human error that occurred does not mean that Telstra failed to comply with its obligation to take reasonable steps to protect the personal information of its customers. Therefore, I consider that Telstra has not breached this particular aspect of the Privacy Act,” the Privacy Commissioner said.
The Commissioner also noted Telstra’s fast notification of the data breach.
Mr Pilgrim did say, however, that if an individual complaint came to them following this matter, the complaint would be considered on its own merits.
“Incidents such as this one highlight how important it is for all organisations to take steps to protect their customers’ privacy. If such an incident does occur, it is best practice to notify the OAIC as soon as possible and take action immediately to prevent further breaches,” he said.
This incident brings to light a section of Australian privacy law that needs to improve. Luckily, in this incident, Telstra did the right thing and notified its customers and the Privacy Commissioner of the data breach immediately.
But when the Sony PlayStation data breach occurred in May, Sony did not notify its customers of the data breach immediately, they took about a week. In that time its customers were vulnerable to identity theft, and there was nothing our Government could do as recourse. Our data breach notification laws currently do not require companies to notify its customers immediately following a data breach.
The Australian Law Reform Commission has made a recommendation for amendments of this law to occur, and the Government is currently considering it.
The dangers of data breaches
If the wrong person gets hold of someone’s personal details, they can potentially build a profile of identity documentation that can give them the opportunity to commit fraud.
Fraudsters who have access to small pieces of specific information on someone can then build on that profile, eventually requesting ‘replacement’ copies of drivers licences and can then access bank accounts, get credit cards, apply for loans, phone accounts, and in some cases, buy property in someone else’s name. There are some identity theft cases where fraudsters have even mortgaged or sold the family home of their identity theft victims.
Once someone’s identity has been stolen, their credit file is generally tarnished. This credit file blemish will unfortunately haunt the victim for 5 years while the listing/s remain on their credit file. Credit file blemishes generally deny someone access to most credit for the term of the default.
It is important for everyone to know they can order a free copy of their credit file report every year from one or more of the credit reporting agencies in Australia, Veda Advantage, Dun and Bradstreet and Tasmanian Collection Services.
Contact MyCRA Credit Repairs for help with repairing credit files following identity theft.