CBA data breaches a “sharp reminder” to the industry
The action by the Office of the Australian Information Commissioner to compel the Commonwealth Bank to review its processes around privacy is “sharp reminder” to the industry to proactively manage their data.
On Thursday, the bank announced that the OAIC had accepted a court-enforceable undertaking. The EU relates to two key data breaches by the bank including the loss of storage tapes of up to 20 million customers by a third-party in May 2016 and inadequate internal access controls around customer data that was reported in August 2018.
CBA will now to review its privacy policies, procedures and retention standards, and provide staff training to ensure compliance.
The bank must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.
The undertaking will be overseen by an independent external reviewer, who will consult with and report to the OAIC on CBA’s compliance. The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the inquiries took into account a report from APRA which found CBA was reactive in dealing with risks and compliance matters.
“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Commissioner Falk said.
“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.
“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”
Commissioner Falk said all organisations regulated under the Privacy Act 1988 should proactively manage their data holdings to protect people’s personal information.
“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” she said.
“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised.
“Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers.”
The enforceable undertaking is part of the Australian Information Commissioner’s ongoing work in regulating data handling practices in the financial services sector, including compliance with the Notifiable Data Breaches scheme.