ABN: 81 141 521 571

9/30/2015

Edition 2015 Volume 3 Part 2

Security and Privacy: Know Your Regulator

Page | 1

NEXT ISSUE

Recap
Part 1 of this series primarily

framework

dealt with the scope of the

organisation.

Privacy Act (1989) Cth and

how it was extended in 2014.
The OAIC has compliance
responsibilities and given the
power to impose penalties
which need to be approved by
the Federal Court.

But as

stated in Part 1 the OAIC and

the Privacy Commissioner are
not the only regulators who
can intervene in a breach of
privacy.

for

the

Trading Corporations
All APP Entities are required
to publish a privacy policy
that

deals

with

the

compliance issues in relation

to the Australian Privacy
Principles (APPs). It is not
uncommon for organisations
to

promote

their

online

privacy policy as a way to

create

between

trusted
the

belief

organisation

If the organisation is a trading

and its constituent market.

corporation or trades over the

Since, trading via the internet

internet then the Australian

is

Competition and Consumer

transaction the concept of

Commission

have

trust is very important1. As

jurisdiction to intervene if a

has been stated many times

data breach occurs and the

trust has to be earned and

privacy policy does not align

can easily be lost if the trader

with the implemented security

does not meet any of its

will

non-face-to-face

published representations 2 .

McCullagh, A., The

Incorporation of Trust Strategies
in Digital Signature Regimes,
1

unpublished Ph.D. Thesis, QUT,

2001.
2 McCullagh, A., E-Commerce A Matter of Trust ACS

Security and
Privacy Know
your Regulator
Part 3

It was intended that this

issue would concern the
Legality

of

Penetration

testing but the issue of

privacy

and

security

is

becoming a major pressing

matter

for

Australian

Business.
concerning

The
know

issues
you

regulator are intricate and

will require analysis over the
next

release,

following

which an analysis of what

are the reasonable steps for
security will be discussed..
Following this

series on

Know Your Regulator the

Penetration testing issue will
be issued.

Information Industry Outlook

Conference November 1998,
http://www.acs.org.au/president/

For

Page | 2

example,

if

trader

Policy is usually used to create

and Consume Act (2010) Cth.

represents that it will fulfil an

confidence in the market place

The rational of this decision is

order within 24 hours then if it

that

will

most illuminating. It is highly

does

this

ensure that the PII collected is

likely that the reasoning stated

representation the consumer

secure against unauthorised

in the Wyndham case would

could lose total trust in the

third party access. Recently,

be

relevant trader. The same can

the Third Circuit on the

Australia.

be said of a published privacy

Federal

statement especially as regards

Appeal in the USA held that

to the security aspects detailed

Federal

Commission

In 2008 and 2009 hackers

in

policy.

[FTC] (the equivalent to the

successfully accessed without

have

Australian Competition and

authority

confidence that the online

Consumer

Worldwide

trader will deliver the stated

[ACCC]) has the authority to

computer

goods but also will keep the

regulate a companys data

hackers stole personal and

consumers

personal

security practices under the

financial

secure

unfair practices aspect of

hundreds of thousands of

framework . It has been noted

Section 5 the Federal Trade

Wyndham customers resulting

by the FBI the identity theft is

Commission Act . Section 5

in

the continues to be a major

deals with the jurisdiction of

fraudulent credit card charges.

criminal activity globally, and

the FTC and it was argued by

as such security of personal

the

(Wyndham

The FTC brought an action in

data held in online repositories

Worldwide Corporation) that

the US Federal Court claiming

are of utmost importance to the

the

that the Wyndham privacy

consumer market4.

jurisdiction

not

the

meet

privacy

Consumers

information

want

in

to

As to the privacy policy there

will be a statement concerning
the

security

implemented

framework
by

the

organisation. This is required

under APP 11 (see part 1 of this
newsletter).

The

Privacy

1998/past/io98 <accessed 25 Sept

2015>
IBM & Ponemon report, 2015
Cost of Data Breach Study :
Global Analysis http://www03.ibm.com/security/databreach/?&S_PKG=&ct=&jm=&S_TACT=&iio=BSEC&cmp=&cr
3

the

organisation

District
Trade

Court

of

Commission

defendant
FTC

did

not

have

equally

applicable

in

Wyndham Case

over

Wyndham
Corporations
systems.

These

information

$10.6

million

for

in

or

policy was deceptive and thus

regulate the security practices

in contravention of 15 U.S.C.

of Wyndham. The equivalent

45(a). The FTC not only won

in Australia would be section

this case at first instance but

29 of the Australian Consumer

also succeeded on appeal.

to

monitor

Law (ACL), which is embodied

in Part 3-1 (Unfair Practices) in
schedule 2 of the Competition

=google&cm=k&csr=Unbranded|
Search|Security+Services+Resear
ch++Awareness|ROW|3571&ccy=us
&ck=cost%20of%20data%20breac
h&cs=p&cn=Data_breach&mkwi
d=sdReQ2a9Ndc_50705364711_43246d30503_
<accessed 25 Sept 2015>

Wyndham Worldwide is a
large and highly profitable US
based

hospitality

company

https://www.fbi.gov/aboutus/investigate/cyber/identity_the
ft <accessed 25 Sept 2015>
5 Federal Trade Commission v.
Wyndham World Corporation
and Others (Case No. 14-3514)
United States Court of Appeals
for the Third Circuit. Decision
filed 24 August 2015.
4

that franchises and manages

hotels and sells timeshares
through

three

subsidiaries.

Wyndham licensed its brand

Page | 3

name to approximately 90
independently owned hotels.
Each Wyndham-branded hotel
has a property management
system

that

processes

consumer information which

includes names of customers,
customer physical addresses,
email

addresses,

numbers,

telephone

payment

card

account numbers, expiration

dates, and security codes.
The FTC alleged among other
things that, at least since April
2008, Wyndham engaged in
unfair cybersecurity practices
in the following manner:
Wyndham allowed Wyndham
branded hotels to store
payment card information in
clear readable text;
Wyndham allowed the use of
easily guessed passwords to
access
the
property
management systems;
Wyndham failed to use
readily available security
measuressuch
as
firewallsto limit access
between [the] hotels property
management systems, . . .
corporate network, and the
Internet. This aspect only
applied to access between
hotels within the Wyndham
group;
Wyndham
had
deployed firewalls in other
aspects of their business but
not between hotels within the

group franchise arrangement;

and
Wyndham
allowed
hotel
property management systems
to connect to its network
without taking appropriate
cybersecurity precautions. It
did not ensure that the hotels
implemented
adequate
information security policies
and procedures.
Wyndham failed to employ
reasonable measures to detect
and prevent unauthorized
access to its computer
network or to conduct
security investigations.
Further
Wyndham
had
published a privacy policy on its
website that stated the following
We safeguard our Customers
personally
identifiable
information by using industry
standard practices.
we
make commercially reasonable
efforts to make our collection
of
such
[i]nformation
consistent with all applicable
laws
and
regulations.
Currently, our Web sites
utilize a variety of different
security measures designed to
protect personally identifiable
information
from
unauthorized access by users
both inside and outside of our
company, including the use of
128-bit encryption based on a
Class 3 Digital Certificate
issued by Verisign Inc. .
This protects confidential
informationsuch as credit
card numbers, online forms,
and financial datafrom loss,
misuse, interception and
hacking.
We
take
commercially
reasonable
efforts to create and maintain

fire walls and other

appropriate safeguards . . . .
The Court held the following
in relation to this privacy
policy:
1.
Wyndham
did
not
implement
appropriate
security
framework
that
corresponds
to
standard
industry practice;
2.
The privacy policy was
deceptive as regards to the
services being offered by
Wyndham concerning the
collection, storage and security
of PII (customer data).

Now

section

Australian

29

of

Consumer

the
Law

(Schedule 2 to the Competition

and Consumer Act (2010) Cth),
could be utilised by the ACCC
to commence an action similar
to that which the FTC did in
the USA. Section 29 in part
relevantly provides as follows:
(1) a person must not, in trade or
commerce, in connection with
the supply or possible supply
of goods or services or in
connection
with
the
promotion by any means of the
supply or use of goods or
services
(b) Make a false or
misleading representation
that services are of a
particular
standard,
quality, value or grade
(g) Make a false or
misleading representation
that goods or services have a
sponsorship,
approval,
performance

characteristics, accessories,
uses or benefits; or
Note 1: A pecuniary penalty
may be imposed for a
contravention
of
this
subsection.
(Emphasis
added)

Page | 4

If there was a major data breach

in Australia which caused
substantial harm to a large
number of consumers and it was
later discovered that the
organisation affected had a
substantial
misalignment
between its published privacy
statement and the actual
security
framework
implemented then the ACCC
could
commence
an
investigation
and
such
investigation could result in the
ACCC
commencing
proceedings in the Federal
Court seeking some redress
based on the failure.
The
pecuniary
penalty
mentioned in section 29 is the
imposition of a civil penalty as
opposed to a criminal penalty.
Being a civil penalty the ACCC
only has to prove its case on the
balance of probability whereas
in a criminal case (see section
151 of Schedule 2 of the ACL)
the onus of proof is beyond
reasonable doubt6.
As the ALRC noted:
A number of provisions
under federal regulatory laws
ALRC For Your Information:
Australian Privacy Law and
Practice (ALRC Report 108)
Published on 12 August 2008.
7 Ibid, Chapter 71.
6

provide for parallel criminal

liability and civil penalties for
the same conduct (citation
omitted).. Under this model
criminal
or
offence
provisions generally require
proof to a criminal standard
(beyond reasonable doubt) of
physical elements and certain
fault
elements
(usually
intention or recklessness).
Civil penalty provisions may
require proof of the same
physical elements to a civil
standard (on the balance of
probabilities), however, they
often do not require proof of
any fault elements7
Section 151 is the corresponding
criminal section of misleading
and false statements.
The
liability under section 151 is
stated to be a strict liability
(subsection 4 of section 151).
Section 151 is drafted relevantly
in the same terms to section 29
as follows:
A person commits an offence if
the person, in trade or
commerce, in connection with
the supply or possible supply of
goods or services or in
connection with the promotion
by any means of the supply or
use of goods or services:
(b) makes a false or
misleading representation
that services are of a
particular standard, quality,
or grade; or
(g) makes a false or
misleading representation
See Division 9
Circumstances involving
mistake or ignorance
Commonwealth Criminal Code
1995.
8

that services have

performance characteristics,
or benefits; or

Penalty:
(a) if the person is a body
corporate$1,100,000; or
(b) if the person is not a body
corporate$220,000.
The offence of strict liability as
provided in section 151 is an
offence where no fault
elements apply to the physical
elements of the offence. A
fault element can only apply to
an offence if the offence
specifies that it is a strict
liability offence. The defence
of mistake of fact is available
for a strict liability offence as a
mistake of fact removes the
element of mens rea or the
lack of intention; whereas a
mistake of law is no excuse at
all 8 . In the absence of an
express reference that an
offence is strict liability as in
section 29, a court will be
obliged to interpret the offence
as a fault offence rather than a
strict liability offence, and will
require proof of fault elements
in relation to the physical
elements.
The ACCC has extensive
powers
and
far
greater
resources available to it than the
OAIC. The annual budget for
the OAIC is in the vicinity of
$13.6 million 9 whereas the
annual budget for the ACCC is
2013-2014 OAIC Annual Report
http://www.oaic.gov.au/aboutus/corporateinformation/annual-reports/oaicannual-report-201314/appendix9

in excess of $183 million 10 .

Admittedly, the ACCC has a far
greater scope of responsibility
in its portfolio but it will only
take a substantial data breach to
Page | 5 have the ACCC to intervene.
The ACCC has stated that its
principal goals are to:

maintain
and
promote
competition and remedy market
failure, and
protect the interests and
safety of consumers and
support fair trading in markets.
It is the second aspect that
could see the ACCC intervene
if there is a major data breach
which could be attributed to a
non-alignment between a
privacy policy and the
implemented
security
framework.
Further, with these goals in
mind, the ACCC has stated that
it will take action to:
stop unlawful conduct;
deter future offending conduct;
where possible, obtain remedies
that will undo the harm caused
by the contravening conduct
(for example, by corrective
advertising or securing redress
for consumers and businesses
adversely affected);
encourage the effective use of
compliance systems;
where warranted, take action
in the courts to obtain orders

two-financial-statements-2013-14
<accessed 25 Sept 2015>

which punish the wrongdoer

by the imposition of
penalties or fines and deter
others from breaching the
Act.
Of course even though the
ACCC is much larger than the
OAIC, it does not mean that the
ACCC
will
necessarily
intervene. As stated it has a
wide regulatory scope and as
such it still is restricted in its
capacity
to
prosecute
contraventions of the ACL.
The ACCC notes that legal
proceedings are really a last
resort which will only be taken
after having regard to all the
circumstances. In making its
decision the ACCC notes that
litigation must be the most
appropriate way to achieve its
enforcement and compliance
objectives.
The ACCC is more likely to
proceed
to
litigation
in
circumstances
where
the
conduct
is
particularly
egregious (having regard to the
priority factors), where there is
reason to be concerned about
future behaviour or where the
party involved is unwilling to
provide a satisfactory resolution
to the issue.
The ACCC
encourages
enforceable
undertaking as this is a cost
effective method to achieve its
goal without the requirement of
adversarial litigation.

ACCC 2013-2014 Annual

Report.
https://www.accc.gov.au/publica
10

It is not uncommon in Australia

for different regulatory agencies
to investigate the same fact
circumstances.
Further, the
penalty regime through which
the ACCC can impose is greater
than that under the Privacy Act.
As a result of the Wyndham case
in the USA, many corporation
are presently having their
security frameworks audited
and having their privacy policy
reviewed by a solicitor who has
the necessary security expertise
and privacy expertise. There
must be alignment between the
security actually implemented
and the published privacy
policy.

Conclusion
Privacy and security in the
commercial sector now go
hand in hand.
Any
organisation that is an APP
Entity and which the collects,
stores or processes any
personal information must
have a carefully drafted
privacy
policy
that
corresponds to the security
framework implemented.
If there is a contravention of
either APP 11 or section 29 of
the Australian Consumer Law
then it is possible that the
relevant regulator the ACCC
could commence proceedings.
The ACCC is a much larger
regulator than the OAIC with
far greater capacity and

tions/accc-aer-annualreport/accc-aer-annual-report2013-14 <accessed 28 Sept 2015>

expertise
in
prosecuting
contraventions of the ACL.
It is recommended that APP
Entities should have their
Page | 6 privacy policy reviewed by a
solicitor with the relevant
expertise and at the same time
have their security framework
audited so that they do not
contravene either the Privacy
Act
or
the
Australian
Consumer Law.

Next Issue
The next release will extend
the issues
release

in

raised in this
particular

the

Is
the
organisation
collecting
Health
Information?
Is the organisation an
Australian Securities and
Investment
Commission
regulated entity?
Is the organisation subject
to
the
Australian
Prudential
Regulatory
Authority?
Finally, there will be a
discussion on what are the
reasonable steps needed to
protect an organisation
from an investigation by
any regulator that has
jurisdiction.

following will be discussed:

Adrian McCullagh: ODMOB Lawyers

ABN: 81 141 521 571
Ajmccullagh57@gmail.com

If anyone wishes to subscribe to this newsletter then please contact the

author by email.
PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue
then they should seek appropriate legal advice. The author makes no warranty as to
correctness of anything contained in this paper. This paper is the sole opinion of the
author and must not be relied upon as legal advice. Every situation is different and as
such proper analysis must be undertaken when seeking a legal opinion.
Consequently, the author takes no responsibility for any errors that may exist in this
paper and certainly takes no responsibility if any reader takes any actions based on
what is (expressly or by implication) contained in this paper. All readers take full
responsibility for anything they may do in reliance of anything contained in this paper.