Professional Documents
Culture Documents
9/30/2015
NEXT ISSUE
Recap
Part 1 of this series primarily
framework
organisation.
But as
for
the
Trading Corporations
All APP Entities are required
to publish a privacy policy
that
deals
with
the
promote
their
online
between
trusted
the
belief
organisation
is
Commission
have
jurisdiction to intervene if a
will
non-face-to-face
published representations 2 .
Security and
Privacy Know
your Regulator
Part 3
of
Penetration
and
security
is
for
Australian
Business.
concerning
The
know
issues
you
release,
following
series on
For
Page | 2
example,
if
trader
that
will
does
this
be
Australia.
Federal
Federal
Commission
in
policy.
have
authority
Consumer
Worldwide
computer
consumers
personal
financial
secure
hundreds of thousands of
in
the
(Wyndham
the
consumer market4.
jurisdiction
not
the
meet
privacy
Consumers
information
want
in
to
security
implemented
framework
by
the
The
Privacy
the
organisation
District
Trade
Court
of
Commission
defendant
FTC
did
not
have
equally
applicable
in
Wyndham Case
over
Wyndham
Corporations
systems.
These
information
$10.6
million
for
in
or
in contravention of 15 U.S.C.
to
monitor
=google&cm=k&csr=Unbranded|
Search|Security+Services+Resear
ch++Awareness|ROW|3571&ccy=us
&ck=cost%20of%20data%20breac
h&cs=p&cn=Data_breach&mkwi
d=sdReQ2a9Ndc_50705364711_43246d30503_
<accessed 25 Sept 2015>
Wyndham Worldwide is a
large and highly profitable US
based
hospitality
company
https://www.fbi.gov/aboutus/investigate/cyber/identity_the
ft <accessed 25 Sept 2015>
5 Federal Trade Commission v.
Wyndham World Corporation
and Others (Case No. 14-3514)
United States Court of Appeals
for the Third Circuit. Decision
filed 24 August 2015.
4
three
subsidiaries.
name to approximately 90
independently owned hotels.
Each Wyndham-branded hotel
has a property management
system
that
processes
addresses,
numbers,
telephone
payment
card
Now
section
Australian
29
of
Consumer
the
Law
characteristics, accessories,
uses or benefits; or
Note 1: A pecuniary penalty
may be imposed for a
contravention
of
this
subsection.
(Emphasis
added)
Page | 4
Penalty:
(a) if the person is a body
corporate$1,100,000; or
(b) if the person is not a body
corporate$220,000.
The offence of strict liability as
provided in section 151 is an
offence where no fault
elements apply to the physical
elements of the offence. A
fault element can only apply to
an offence if the offence
specifies that it is a strict
liability offence. The defence
of mistake of fact is available
for a strict liability offence as a
mistake of fact removes the
element of mens rea or the
lack of intention; whereas a
mistake of law is no excuse at
all 8 . In the absence of an
express reference that an
offence is strict liability as in
section 29, a court will be
obliged to interpret the offence
as a fault offence rather than a
strict liability offence, and will
require proof of fault elements
in relation to the physical
elements.
The ACCC has extensive
powers
and
far
greater
resources available to it than the
OAIC. The annual budget for
the OAIC is in the vicinity of
$13.6 million 9 whereas the
annual budget for the ACCC is
2013-2014 OAIC Annual Report
http://www.oaic.gov.au/aboutus/corporateinformation/annual-reports/oaicannual-report-201314/appendix9
maintain
and
promote
competition and remedy market
failure, and
protect the interests and
safety of consumers and
support fair trading in markets.
It is the second aspect that
could see the ACCC intervene
if there is a major data breach
which could be attributed to a
non-alignment between a
privacy policy and the
implemented
security
framework.
Further, with these goals in
mind, the ACCC has stated that
it will take action to:
stop unlawful conduct;
deter future offending conduct;
where possible, obtain remedies
that will undo the harm caused
by the contravening conduct
(for example, by corrective
advertising or securing redress
for consumers and businesses
adversely affected);
encourage the effective use of
compliance systems;
where warranted, take action
in the courts to obtain orders
two-financial-statements-2013-14
<accessed 25 Sept 2015>
Conclusion
Privacy and security in the
commercial sector now go
hand in hand.
Any
organisation that is an APP
Entity and which the collects,
stores or processes any
personal information must
have a carefully drafted
privacy
policy
that
corresponds to the security
framework implemented.
If there is a contravention of
either APP 11 or section 29 of
the Australian Consumer Law
then it is possible that the
relevant regulator the ACCC
could commence proceedings.
The ACCC is a much larger
regulator than the OAIC with
far greater capacity and
expertise
in
prosecuting
contraventions of the ACL.
It is recommended that APP
Entities should have their
Page | 6 privacy policy reviewed by a
solicitor with the relevant
expertise and at the same time
have their security framework
audited so that they do not
contravene either the Privacy
Act
or
the
Australian
Consumer Law.
Next Issue
The next release will extend
the issues
release
in
raised in this
particular
the
Is
the
organisation
collecting
Health
Information?
Is the organisation an
Australian Securities and
Investment
Commission
regulated entity?
Is the organisation subject
to
the
Australian
Prudential
Regulatory
Authority?
Finally, there will be a
discussion on what are the
reasonable steps needed to
protect an organisation
from an investigation by
any regulator that has
jurisdiction.