Cupid Media risks privacy of the dateless

The Privacy Act 1988 (Cth) (Privacy Act) requires entities to take reasonable steps to secure personal information.

The Australian Privacy Commissioner own motion investigation found dating website Cupid Media Pty Ltd (Cupid) failed to take reasonable steps to secure the personal information of over 254,000 of its users when computer hackers gained access to information on user accounts.

The Privacy Act requires entities to take reasonable steps to ensure personal information is free from misuse, interference and loss, as well as unauthorized access, modification or disclosure.

The personal information compromised by the breach included users full names, dates of birth, email addresses and passwords.  The profiles of users also contained sensitive information such as ethnicity and religion.

The steps required under the Privacy Act to secure personal information will vary depending on the circumstances and may include the:

  • quantity of the personal information;
  • nature or type of personal information;
  • whether the information includes sensitive information;
  • risk or consequences of unauthorized access;
  • data handling practices of the entity; and
  • ease, cost and practicality of implementing security measures.

 Were reasonable steps taken?

In the case of Cupid Media, the Commissioner considered taking the following steps reasonable:

1. Information and patch management and procedures

  • introduce patch application and management, this includes processes to identify and install patches and security updates from suppliers;
  • respond to notifications and recommendations from software developers in relation to patch management;
  •  install antivirus software protection on all servers, while utilising software updates and maintenance notifications;
  • implement database segregation with restricted access (further segregation may be necessary where a database contains sensitive information);  and
  • install malware detection and prevention software and antivirus software.

2. Testing and monitoring security systems

conduct daily vulnerability scans; and

use intrusion prevention and intrusion detection firewall.

 3. Password and encryption

account lockout and strong password policy (this alone was not found to be sufficient);

salting, hashing or encrypting passwords, in addition physical security and access limitations; and

a password reset process used in the event of breach, which included encouraging users to reset the password when used on other websites and accounts.

4. Secure destruction or permanent de-identification

  • introduce a procedure to identify information the entity no longer needs or is no longer relevant;
  • introduce a process of how to securely destroy or de-identify personal information; and
  • implement procedures to permanently destroy or de-identify personal information including inactive or unused accounts.

While Cupid had sufficient patch management and testing and monitoring procedures, it did not have sufficient mechanisms to destroy or de-identify personal information or protect the passwords of its users.

The Privacy Commissioner found that to its credit Cupid responded appropriately to the security breach and cooperated with the Office of the Australian Information Commission during the investigation.

Data breach response plan

In the event of a data breach the Office of Information and Privacy Commissioner recommends implementing a data response plan.

A data breach response plan may include the following four (4) steps:

  1. Contain the breach

In the event of a data breach an entity should identify the cause or source of the breach and take reasonable steps to contain it.  This may include tracing the method of the breach, for example, analysing server logs.

  1. Assess the risks associated with the breach

The entity should assess the consequences or the likelihood that the breach will cause harm.  A breach may cause financial, physical or psychological harm is generally considered more serious.

  1. Notification

In some circumstances it may be necessary to notify individuals that their data or personal information has been subjected to unauthorised access.  The decision to notify individuals may depend on the sensitivity of the information and whether the breach may cause harm to the individual.

  1. Taking active steps to prevent further breaches

The entity should take active steps to prevent future breaches.  This may include an audit of the entities’ current of data security, privacy procedures and employee training and education.  Preventing future breaches may also require enlisting the help of legal and IT professionals.

In order to prevent future breaches Cupid was required to remove all compromised material and conduct multiple scans of servers using a specific rootkit detector.  These scans were used to confirm that all malicious files were removed.

Amendments to the Privacy Act

Cupid’s security breach occurred before the amendments to the Privacy Act.  These amendments resulted in the National Privacy Principles and Information Privacy Principles being replaced by thirteen (13) new Australian Privacy Principles.   Despite these changes, the security requirements under the Privacy Act remain largely unchanged.

The amendments did, however, introduced new civil penalties orders for a breaches of the Privacy Act.  The civil penalty provisions currently allow for penalties of up to:

  • $A340,000 for an individual;  and
  • $A1.7 million for a company.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Related articles

Legal issues for data loss

Data Breach Bill 2016 – considerations for data security

Privacy determination –Sensitive Information held in garden shed

Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?

Other references

Office of the Australian Information Commissioner, APP Guidelines

Office of the Australian Information Commissioner, Australian Privacy Principles 

Cupid Media Pty Ltd: Own motion investigation report

Further information

If you need further information about complying with the Privacy Act 1988 (Cth), please contact us for an obligation free and confidential discussion.

Malcolm-Burrows-31

 

 

 

 

 

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.

Legal Practice Director

Telephone: (07) 3221 0013

Mobile: 0419 726 535

e: mburrows@dundaslawyers.com.au


 

Disclaimer

This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Send this to a friend