Posts Tagged ‘data security’

Customer may sue AT&T for breach of privacy

Saturday, August 22nd, 2009

The highly publicised breach of President Obama’s mobile phone records last year raised alarm and renewed debate  as to the level of protection the average citizen has over data privacy breaches involving their mobile phone records

Verizon employees were found to have  improperly accessed Obama’s phone records, resulting in their employment contracts being terminated.

Information Privacy laws differ from country to country, however as a general principle under data handling laws,  agencies and organisations have obligations  to keep information entrusted to them secure from improper access and disclosure.

Celebrities and other high profile targets have been the subject of relentless attacks and are obviously at higher risk for privacy breaches. However there have been many incidents where damage has been caused to businesses and individuals due to security breaches. Some of these are due to  internal security breaches whilst others have arisen from external threats.

There have been instances reported of business  competitors impersonating other businesses and having their business phones switched off by requesting account cancellation, a form of identity theft.

Mobile phone records and wireless laptops often contain a goldmine of sensitive personal, business and financial data which can be be used by criminals, disgruntled spouses and rival traders, the unauthorised disclosure of which can have an enormous impact on an individual or business.

The higher profile incidents raise broader concerns about how common such breaches are,  and how safe it is to assume that information on a wireless network can ever be completely secured from a range of  security threats.

Kevin Mitnick, former hacker and present Security Consultant, sought damages from AT&T for allowing his wireless account to be breached.  Mitnick had served a jail sentence for  computer hacking. He has  become such a  high-profile target that his own Web-hosting firm Hostedhere.net wouldn’t host Web pages for him anymore,  due to the number of  previous attacks upon his website.

Mitnick claims that his personal information, namely his address, land and mobile phone numbers, email address, instant messenger handles, PIN number and the last four digits of his Social Security number appeared on the web in hacking forums.

Mitnick claims he had  told AT&T of a pending breach however the company  failed to respond,  leading to improper access and disclosure of his personal information.  Instead of investigating how the security breach which  occurred with respect to the $2,000 a month customer, AT&T  elected to cancel Mitnick’s contract.

Mitnick had been a customer of AT&T for a period of ten years and requested damages for the breach of his privacy for the failure to adequately maintain the security of his account information.

AT&T assert that his claims have been investigated fully and were found to have lacked foundation.

Mitnick says this is a tacit admission that  AT&T are  unable or unwilling  to secure the personal information of their customers, and are taking the easy way out by simply terminating their accounts when breaches occur.

Mitnick now proposes to sue AT&T for breach of privacy at common law for failing to adequately protect his personal information. He claims that he called AT&T and asked them to take extra precautions to protect the security of his account, putting them on notice of a potential breach.  Mitnick asked that if someone tried to change his account in any way,   they be required to change the password verbally, not just provide a social security number. Mitnick had experienced a number of attacks upon his account, and had taken a number of measures to counter the attacks, for instance memorising his password, and not disclosing it or recording it.

The incident raises the legal question of what level of safeguards telecommunication companies have to implement to keep their  networks, servers and customer information secure from misuse and unauthorised access, whether by it’s own employees or persons seeking to unlawfully obtain access to customer’s information.

It is an important question given the number of organisations which have been besieged by security breaches and credit card thefts over the years.

AT&T would argue of course that their contract or terms of service state that they have  absolute discretion to terminate a user’s account without notice.  However, even if this is true,  where a user’s rights have been breached prior to the termination of their contract, it is questionable as to whether they could merely avoid any liability for their acts or omissions   prior to such termination.   It would seem an odd result for customers to be required to forfeit any rights they have under the terms of their contract or at law by simply having their account cancelled after the damage was done.

Social engineering scams, employee fraud and negligence are not uncommon in causing privacy breaches. Telecommunication companies have obligations under information privacy legislation and regulations to keep customer information secure by using reasonable safeguards.

The US Federal Trade Commission have developed privacy enforcement programs to make sure companies abide by their promises to consumers regarding their privacy, including taking reasonable measures to secure their personal information.

In Australia the Office of the Privacy Commissioner is responsible for investigating breaches of the National Privacy Principles contained within the Privacy Act 1988 (Cth).  There is legislation and industry codes specific to the telecommunications industry. Consumers can also lodge complaints about providers to the   Telecommunications Industry Ombudsman .

PRIVACY REGULATION IN AUSTRALIA

Privacy regulation has been subject to extensive review in Australia.  The legal regime for protection of privacy in Australia is fragmented and requires harmonisation and standardisation across States and the Commonwealth.

There is a recognised need for privacy rights to be streamlined  to promote uniformity and consistency in the application of standards.  For instance,  there are inconsistencies in the application of privacy laws,  with telecommunication companies  able adhere to a  lower standard of privacy than the principles embodied in the Privacy Act 1988 (Cth).

Providers can elect to be bound by the National Privacy Principles or can develop and be bound by an industry specific privacy code.  Telecommunication companies have obligations to take all reasonable steps to protect a customer’s personal information from misuse and loss and from unauthorised access, modifications or disclosure both under the Privacy Act 1988 and the Telecommunications Act 1997.

In relation to online transactions, a company may stipulate what it believes a reasonable level of encryption is. The important question seems to be how one defines what  ‘reasonable steps’  are in relation to various risks relating to the storage, retention and security in the data handling process.   What  reasonable safeguards or measures does a telecommunications company have to implement in ensuring access to this information is appropriately secured and that staff  are adequately recruited, screened and trained to prevent fraud and misuse?

The recently released Australian Law Reform Commission Report ‘For your Information’ contains a discussion in relation to ‘data security’.   There was widespread support expressed for guidelines to as to what ‘reasonable steps‘ means in the context of the ‘data security‘ principle contained in NPP 4.1.

Neither the Telecommunications Industry Ombudsman or the Privacy Commissioner have the ability to award compensation beyond   certain limits to customers who have suffered privacy violations.

It is recognised by customers that there are  security risks involved in wireless technology and that conversations can be intercepted, although with less ease with respect to digital phones. Encrypted digital communications afford the highest level of security, and there are several digital technologies available such as CDMA,* TDMA,* and GSM.*

Mobile phone records which are not secure pose obvious risks to particular groups of people. These people are left vulnerable by websites trading  mobile phone records for small fees. Despite legal imperatives, companies continue to offer the name and address connected to mobile phone numbers, an individual’s phone number, or a complete record of outgoing and incoming phone calls.

The ease with which a person can obtain this information is disturbing to the majority of the public concerned about privacy, and can be life threatening to persons such as victims of crime or other persons concerned about their personal safety.

Unfortunately there are a myriad of ways unscrupulous people can obtain access to  personal records through commercial vendors who treat information as a commodity to be bought and sold.  Using rudimentary privacy enhancing technologies doesn’t stop either dishonest or negligent employees  from sharing records with online information brokers.

Positive obligations are imposed on organisations to keep  information entrusted to them secure,  and implement safeguards to protect the data they collect and handle. The level of safeguards should be appropriate from a risk management perspective, depending on the likelihood of unauthorised access, and gravity of the consequences an individual may encounter as a result of a violation of their privacy.  Organisations and agencies should be prepared to address physical, computer, network,  personnel and security aspects of privacy.

The issue of security is particularly important in an electronic environment and the onus should be on organisations and agencies to ensure that their databases and electronic transfers or transactions are secure.  Organisations and agencies should have a positive obligation to report breaches which could result in an interference with the privacy of an individual,  financial  loss, or other significant harm.  The obligation should be proportionate to the extent of the breach and the possible harm it could cause.

Tort of Privacy

It is important to distinguish between Information privacy and physical or territorial privacy.

Whatever the merits of Mitnick’s claim against AT&T,  being based in the US ,  he has an entitlement to bring an action pursuant to an independent tort of privacy. The US Courts have created this right from existing actions for breach of confidence, defamation and property law cases.   As in Australia,  there are statutes in the US which purport to protect communications privacy, and the common law has features that protect dimensions of privacy beyond information privacy.

Information privacy is a term that generally applies to privacy of personal data, and regulates the data handling processes of an individual’s personal data by organisations.  It also extends to identification and identity, authentication technologies,  identity theft, the use of digital signatures, and specific aspects of internet privacy.

A comparative analysis of the judicial protection of privacy afforded by different  jurisdictions reveals that the tort of invasion of privacy by the publication of private facts is available in the majority of States in America as well as New Zealand. (See Bradley v Wingnut Films and  P v D [2000] Therefore,  at least  in the United States and New Zealand, the tort of ‘public disclosure of private facts’ ‘enables individuals to pursue a remedy for non-consensual publications of personal information.

Great Britain has also recognised the existence of  privacy rights, although the formulation of privacy rights differs, being acknowledged under the equitable action for breach of confidence. (See Campbell v MGN)  This distinction in the conceptualisation of  privacy rights can be significant when an individual seeks vindication for privacy violations through the Courts.

It is only recently that Australian courts been receptive to recognising a general tort of privacy.  There are only two decisions which have recognised the existence of actionable tort of privacy at common law in Australia.  The first decision is the decision of the District Court of Queensland in Grosse v Purvis , the offending conduct in this case being stalking by the defendant, also a crime under s 359B of the Criminal Code (Qld).

More recently, in a case on appeal to the High Court,  the County Court of Victoria held that the media disclosure of the identity of a rape victim in Australia was a breach of the tort of privacy in respect of disclosure of private facts. Doe v Australian Broadcasting Corporation & Ors [2007] VCC 281. Two ABC journalists subsequently pleaded guilty to breaches of  s4(1A) of the Judicial Proceedings Reports Act 1958 (Vic) which prohibits identification of rape victims.  Doe subsequently sued both the journalists, their Employer and the ABC.  The tort, as framed by the Court, is a narrowly defined one, being confined to the unjustified disclosure of private facts.  The emergent tort of privacy articulated by the County Court in the Doe case could prove to be significant as an alternative avenue for individuals to enforce their privacy rights in specific circumstances.  Privacy threats are increasing with rapidly evolving communication and surveillance technologies and an invasive media industry.

The case of Giller V Procopets includes a discussion as to whether the publication of a videotape of sexual activity involving the plaintiff can give rise to an action for a breach of privacy recognised by Australian law.  The Plaintiff claimed that in distributing the offending videos and threatening to continue to do so, the defendant had engaged in conduct which was intended to degrade and humiliate her.  She claimed damages for the ‘tort of intentional infliction of emotional distress‘.  As stated above, these kinds of claims have been recognised by US Courts.  Maxwell P,   in his judgement in Giller v Procopets,  recognised the need for the development of such a tort in Australian law.

Even in ordinary parlance, there have been perennial problems in defining privacy, which is a nebulous term.  Privacy means different things to different people.  It is a truism to say that privacy is a private matter.

In terms of it’s legal scope,  the tort or privacy in Australia only applies to natural persons, and there is no corporate right to privacy even where a business suffers damage to its reputation.  The legal reasoning  is that, unlike an individual, a corporation isn’t capable of emotional suffering.

There is also a right to prevent the unlawful and arbitrary interference with an individual’s privacy and reputation enshrined in S13 of the Charter of Human Rights and Responsibilities Act 2006. However there is a consensus that this legislation is inadequate in preventing privacy intrusive behaviours.

As stated above there is legislation dealing with information privacy both at the Commonwealth and State level. (eg  in the State of Victoria, the Information Privacy Act 2000 (Vic). and the  Health Records Act 2000 (Vic).) These statutes focus on the protection of  information privacy, with principles regulating the standards for the collection, storage, access and disclosure of private and sensitive information by various agencies and organisations.

There is also legislation  regulating devices which enable different forms of surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices;  Surveillance Devices Act 1999.

The area of privacy law is a complex one in today’s era of communication technologies where advances in information technology facilitate the transmission of  information across national borders with speed and efficiency.

Organisations are increasingly operating  on an international scale and transmitting data across borders. The Privacy Act 1988 (Cth) seeks to regulate transborder data flows through NPP 9, setting out the conditions for the sending of data overseas.  The principles prevent organisations disclosing information to someone in a foreign country unless they are subject to information privacy schemes comparable to the NPPs, or where the individual has consented to such disclosure.

As the internet is now a mainstream source of public information and interaction, there are unique challenges involved in protecting privacy, particularly with the emergence of new tracking technologies and information storage mediums. The principles embodied in the Privacy Act  for example are based on the OECD data protection guidelines which were developed over 30 years ago at a time when personal computers were scarce, and everyday modern day phenomena such as mobile and camera phones were only on the horizon.

The OECD also has issued Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002), which responds to security issues arising from networked information systems.

The principles have already  become outdated due to new technologies such as biometric technology, and the proliferation of surveillance systems, eg Closed Circuit Television, RFID, GPS navigation technologies, and DNA based technologies.

Incoming search terms for the article:

Tags: , , , , ,
Posted in Privacy | 77 Comments »