Telecommunications firm TeleChoice has agreed to pay for 12 months of credit monitoring for customers affected by a privacy breach.
The company agreed to the enforceable undertaking after an investigation by acting Australian Information Commissioner, Timothy Pilgrim. The investigation followed the discovery of the personal details of former TeleChoice customers in a shipping container.
The records included individuals who were customers prior to 31 March 2013.
The Office of the Australian Information Commissioner became aware of the incident after a Channel 9 News report on 23 April 2015. TeleChoice provided the OAIC with a voluntary data breach notification about the incident on 24 April.
According to TeleChoice, the personal information in the shipping containers had been awaiting destruction. The containers were on private land, locked and checked monthly by a maintenance representative. However, the containers were broken into.
When TeleChoice became aware of this, it removed all of the personal information and destroyed it, except for a small sample. As a result of this, the company could not confirm the identity of the customers affected by the incident.
Pilgrim's investigation looked at whether TeleChoice took reasonable steps to secure the personal information it held, and to destroy or de-identify personal information that it no longer needed, as required by Australian Privacy Principle (APP) 11.
During the course of the investigation, TeleChoice acknowledged that it had not complied with APP 11, and, as part of the enforceable undertaking, took specific steps to improve its information security and destruction practices to mitigate the risk of a similar incident occurring in the future.
“This incident demonstrates the importance of businesses securing the personal information that they hold. Physically locking a container that holds personal information is not sufficient if the container is publicly accessible and unmonitored for extended periods,” Pilgrim said.
“The enforceable undertaking provides a positive outcome for people affected by the breach, with TeleChoice agreeing to, amongst other things, reimburse the cost of a 12-month credit monitoring service for affected individuals who are concerned about the possibility of credit fraud,” said Pilgrim.
Consumers who want to be reimbursed for the cost of a 12 month credit monitoring service will need to demonstrate to TeleChoice that they were a customer prior to 31 March 2013.
Individuals who think they may have been affected by the privacy breach can contact the company at firstname.lastname@example.org.
However, the report said that this was still a “significant increase” over previous years and may reflect a growing awareness among Australians of privacy as an issue of concern.
It could also signal that the community is more aware of the formal right to make a complaint due to the Privacy Act reforms, the report said.