AIC v Medibank – Concise Statement released by OAIC

A Concise Statement released by the Office of the Australian Information Commissioner (OAIC) this week provides important insights into the OAIC’s security expectations in relation to large companies with sensitive data sets. This is evidence that regulators are continuing to lift the bar for compliance in this increasingly important area, and is a reminder to APP entities to regularly check that sufficient security measures are in place, and to also follow up on consultants’ recommendations and monitor compliance. Medibank has not yet filed its response in the proceedings. The Court’s decision in this matter will provide important guidance as to the security steps necessary to comply with Australian Privacy Principle 11.1 and as to the penalties which organisations may face for non-compliance.

On 17 June 2024, the Australian Information Commissioner published a redacted version of the Concise Statement in connection with its civil penalty enforcement action in the Federal Court of Australia against Medibank under section 13G of the Privacy Act 1988 (Cth). The proceedings relate to alleged breaches of Australian Privacy Principle (APP) 11.1, which requires entities to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference, loss and from unauthorised access, modification or disclosure.

The Commissioner alleges that Medibank failed to take reasonable steps to protect the personal information that it held. In Annexure B to the Concise Statement, the Commissioner sets out the steps that it says Medibank should have taken. The alleged deficiencies are set out in the fully redacted Annexure D of the Concise Statement.

The Concise Statement repays careful study for at least four reasons.

The background

First, it tells us (subject to redactions) exactly what is alleged to have gone wrong and what the Commissioner alleges happened to give rise to a data breach affecting 9.7 million Australians.

According to the Concise Statement, an employee of a contractor to Medibank has access to an administrator level account. This account had access to most, if not all, of Medibank’s systems. The credentials to the account were stolen from the person’s “personal computer” using malware.

Medibank allegedly did not use multi-factor authentication.

The “threat actor” was able to log into Medibank’s VPN with the stolen credentials and exfiltrate 520 gigabytes of data, including personal and sensitive information.

Medibank allegedly did not react to various automated alerts triggered by the threat actor’s activity until a “highly sensitive incident” was noticed on 11 October 2022, more than two months after the credentials were stolen.

What the OAIC thinks should have been done

Second, and perhaps more importantly, the Concise Statement tells us what the Commissioner thinks Medibank should have done. This is a helpful list of OAIC expectations for APP entities which hold large amounts of sensitive information. It is not of course a comprehensive one, as it presumably is confined to the particular steps which are relevant to the proceedings.

The Concise Statement confirms the approach foreshadowed in the Australian Privacy Principles Guidelines (the Guidelines) and the Guide to Securing Personal Information (the Guide) of taking into account the size of the APP entity and the sensitivity of the personal information involved when determining what steps are “reasonable” in the circumstances. The Concise Statement alleges that Medibank’s size and the sensitivity of the affected personal information (which included health information and information about individuals’ race or ethnicity) are relevant to determination of what “reasonable steps” were required. Those matters were also relied upon by the Commissioner in support of the alleged interferences with privacy being “serious”.

In Annexure B the Commissioner alleges that Medibank should have implemented all or some combination of the following 11 things:

1. multifactor authentication for access to the VPN;
2. (additional) multifactor authentication for access to sensitive or critical assets within the network perimeter;
3. proper change management controls;
4. proper access privileges including “least privileges necessary” – a version of “need to know” – and regular reviews of access;
5. proper monitoring of privileged accounts including to understand normal behaviour and alerts for unusual or suspicious behaviour;
6. proper password complexity;
7. monitoring password monitoring and review processes so that passwords were encrypted, undertaking password usage audits and security assessments of tools used to query important data sets;
8. proper security monitoring processes, including review of all security alerts, clearly documented guidance and procedures for escalating security alerts, regularly reviewing work of first level alert review team and configuring volumetric alerts for large or abnormal volumes of data;
9. proper security assurance testing, including annual penetration testing, internal audits and internal control effectiveness testing;
10. proper application controls for critical servers; and
11. effective contractor assurance, including regular audits, inspection or testing for compliance and ensuring clarity in the terms of contractor agreements and that the roles and responsibilities are clear where responsibilities for implementing, or assisting with the implementation of, security controls are outsourced.

The above list highlights the standards to which the Commissioner seeks to hold large companies when it comes to security and authentication practices – but there are pointers here for all organisations, large and small.

It is significant that the Commissioner has called out monitoring the activities of contractors. The Guidelines, the Guide and past determinations make it clear that it is necessary to have appropriate privacy and security terms in place with contractors to comply with APP 11.1. The Concise Statement makes it clear that it is necessary in the Commissioner’s view to also regularly audit, inspect or test contractor compliance with those terms and with expected security practices. 

The Concise Statement’s focus on contractual terms is also a good reminder that (without speculating as to what Medibank did), it is best practice to regularly review longstanding information technology and other contracts affecting data security to make sure they meet contemporary security standards.

Clearly, companies should have regard to the Commissioner’s above statements about what should have been done when reviewing their own cybersecurity policies and practices.

Construction of section 13G of the Privacy Act

Third, the Concise Statement provides guidance as to the OAIC’s construction of “interference with privacy” for the purpose of applying section 13G which is the civil penalty provision to alleged breaches of APP 11.1. Under the Privacy Act at the relevant time, each “interference” potentially attracts a maximum penalty of A$2.2 million.  

The Commissioner claims that the alleged contraventions were “serious” because of:

• the claimed deficiencies in Medibank’s cybersecurity and information security frameworks, including failure to implement or properly implement controls of a basic or baseline nature or standard for an organisation like Medibank and given the sensitivity of the personal information held by it;
• the nature of the personal information held, including sensitive information; and
• the consequences of the data breach, including the exposure of individuals to harm, including emotional distress, risk of identity theft, extortion and financial crime.

These points are significant because “serious” or “repeated” interferences with privacy trigger the civil penalties under section 13G of the Privacy Act.

The Commissioner puts forward a total of four different approaches to construction of section 13G, and the Court’s choice of approach could affect the maximum penalty by reference to a multiplier of many millions. The Commissioner’s preferred approach is to count the number of interferences by reference to the number of people affected by the relevant acts or omissions (of whom there are alleged to be 9.7 million), with the result that the maximum penalties are extremely large (A$21,340,000,000,000). Further to that at the high end of the scale, the Commissioner alleges that a further multiplier of the number of days in the Relevant Period should also be applied (the above figure multiplied by hundreds of days). At the lower end of the scale, the Commissioner alleges in the alternative that there was a contravention of section 13G and that, further, that contravention was repeated for each day in the Relevant Period.

The Court’s decision as to which of the approaches proffered in the Concise Statement (together with any further contentions by Medibank in relation to the construction of section 13G) is correct and will have a significant impact on the extent of the total risk faced by companies under section 13G as it then stood, and under the revised civil penalty provisions which commenced in late 2022. The numbers reached by multiplying the penalties by reference to the number of individuals affected would be crippling for even the largest of companies – although assessment of civil penalties is not merely an arithmetical exercise.

By way of comparison, in the Commonwealth Bank AUSTRAC enforcement proceedings some 53,000 contraventions caused by a single coding error led to a penalty of A$150 million, with A$700 million being imposed for the totality of the conduct.

Of course, we should note that the penalties under section 13G have been increased from December 2022 to a maximum penalty at least A$50 million per contravention (or possibly more based on turnover or the benefit derived), so for an (alleged) 9.7 million serious interferences the headline number is a staggering A$485 trillion. If the Commissioner’s “per person, per day” formulation is successful, the potential penalty is, obviously, even greater, potentially multiplied by the number of days in the relevant period.

Theoretical calculations aside, the Commissioner’s approach underscores the clear potential for significant penalties for data breaches, given that many data breaches involve the personal information of a large number of people and many go undiscovered for a significant period.

Follow through

Fourth, the Concise Statement highlights the importance of not only regularly assessing cybersecurity measures, but also following through on the recommendations made by consultants who conduct the assessments. The Commissioner alleges that during the Relevant Period, Medibank engaged external consultants to assess its security practices, and that Medibank did not take sufficient steps to address issues identified in those reports. Of course obtaining external consultants’ views is good practice. The approach taken in the Concise Statement underlines how important it is to follow through on reports and their recommendations. We have not yet heard Medibank’s explanation of what (if anything) it did do in response to the reports, and as to any practical or other obstacles which impeded its response to them.

In light of the Concise Statement (and without speculating as to what Medibank did or did not do), it is prudent for APP entities facing any reports on security which they may face challenges in addressing to obtain not only technical guidance but also legal advice so that senior management can fully understand all of the relevant risks when making resourcing and investment decisions. Engaging the legal team also has the advantage, if done properly, of creating a privileged environment in which legal risks can be openly discussed (although of course there are exceptions to the protection afforded by client legal privilege – they are limited).

Conclusion

Obviously, the Medibank enforcement proceeding is at an early stage and at this point the allegations made by the Commissioner are just that – allegations. Medibank will have an opportunity to file its defence and deny the allegations and at trial (should the matter proceed that far) there will no doubt be much evidence provided and many submissions made about the applicable legal principles, and about other matters including the positive steps which Medibank did take to protect data.

As it develops, this matter will, like the Concise Statement, repay careful study by all those with an interest in cybersecurity. Which should be everyone.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).