This case note has been taken from the recently published second-edition of a Guide to ACT Strata Law. A physical copy of the full text can be purchased here.
In October 2016, a database file containing information relating to approximately 555,000 prospective blood donors was inadvertently saved to a publicly accessible portion of a webserver managed by an employee of the third party provider, Precedent Communications. Some of the accessible information was particularly sensitive and related to sexual behaviours.
The Red Cross became aware of the breach after an unknown individual who discovered the vulnerability contacted a cyber security expert, Troy Hunt. Mr Hunt then contacted the internet service provider who hosted the website to have access to the website removed.
Upon being notified of the breach, the Red Cross took immediate steps to contain it. These included:
- confirming (through AusCert) that a copy of the data file held by the unknown individual and Mr Hunt had been deleted;
- engaging an identity and cyber support service to undertake a risk assessment of the information compromised;
- issuing press releases confirming that a data breach had occurred and publishing statement on its website and social media sites;
- establishing a dedicated website, telephone hotline and an email inquiry facility to respond to public enquiries notifying affected individuals via text message and email; and
- engaging specialist organisations to conduct a forensic analysis on the exposed server, to monitor their website for any vulnerabilities or unusual activity and to monitor the dark web for evidence that the data was being traded.
The commissioner found that the Red Cross had failed to implement contractual or other measures to ensure that Precedent Communications had adequate security arrangements. Nonetheless, the Commissioner commended the Red Cross for its quick response and handling of the breach, noting that its response provides a model of good practice of other organisations. Since the incident, the Red Cross has enhanced its information handling practices and provided an enforceable undertaking to engage an independent reviewer to review its third party management policy and standard operating procedure. Precedent Communications has also provided an enforceable undertaking with the Commissioner’s office to establish a data breach response plan and to update its privacy and data protection policy.
This is general information and should not be considered to be legal advice. You should obtain legal advice specific to your individual situation.
