Outsourcing your IT arrangements: What are your privacy obligations?

Are you taking reasonable steps to ensure that the personal information your direct selling business holds is protected from misuse, interference and loss and from unauthorised access, modification or disclosure? Are your service providers also taking reasonable steps to secure the personal information of your distributors and customers that you entrust to them? The recent Federal Trade Commission (FTC) investigation of Infotrax Systems LC (Infotrax), a service provider to many in the direct selling industry, is a timely reminder for direct selling businesses not to be complacent in respect of data security.

Who is Infotrax?

Infotrax provides backend operations systems and online distributor tools for multi-level marketers. Infotrax’s services include operating aspects of its direct selling clients’ website portals. In registering and placing orders on the website portals, distributors and customers provide Infotrax with their personal information – including bank account and credit card details, usernames and passwords.

As of September 2016, Infotrax stored the personal information of approx. 11.8 million consumers.

What went wrong?

Earlier this year, the FTC issued a complaint against Infotrax, and its CEO, Mark Rawlins, alleging that they had breached s 5(a) of the Federal Trade Commission Act which prohibits unfair acts or practices.1 The FTC alleged that, from 2014 to March 2016, Infotrax engaged in a number of unreasonable data security practices including:

  • failing to:
    • have a system which deletes consumers’ information when it is no longer required;
    • conduct a code review and penetration testing of Infotrax’s software and network to assess cybersecurity risks to consumer data;
    • detect malicious file uploads;
    • segment Infotrax’s network;
    • implement safeguards to detect anomalous activity; and
    • limit locations to which third parties could upload unknown files into Infotrax’s network; and
  • storing consumer’s personal information in a readable format on Infotrax’s network.

As a result of the failures, between May 2014 and March 2016, hackers accessed Infotrax’s server (and websites it maintained on behalf of its clients) multiple times and pulled personal information, including consumers’ passwords, names, addresses and credit card details from the server/websites.

The FTC alleged that Infotrax’s failure to:

  • protect consumer data through implementing readily available and low-cost security measures; and
  • provide reasonable security for the personal information it held,

caused, or was likely to cause, substantial injury to consumers in the form of fraud, identity theft and monetary loss.

What are your obligations?

Companies which are required to comply with the Australian Privacy Principles (APPs) must ensure that they take such steps as are reasonable to:

  • implement practices, procedures and systems relating to their functions and activities which enable them to comply with the APPs and deal with inquiries and complaints from individuals about their privacy compliance (APP 1); and
  • protect personal information from:
    • misuse, interference and loss; and
    • unauthorised access, modification or disclosure (APP 11).

Your company also has data breach notification obligations under the Privacy Act 1988. In Australia, a data breach is notifiable if it is likely to cause serious harm to affected individuals. If serious harm is more probable than not, both the affected individuals and the Office of the Australian Information Commissioner (OAIC) must be notified promptly.

If your company has outsourced its IT arrangements, it continues to have mandatory data breach obligations under the Privacy Act 1988. If the personal information has been disclosed to a contractor overseas, then an Australian company may also remain liable for mishandling by the overseas recipient.

If you are a director or officerholder of the company, you also have a duty under the Corporations Act 2001 (Cth) to act with reasonable care and diligence in your position.

Further, if your company is publicly listed, there are also continuous disclosure obligations.

How do you comply with these privacy obligations?

In order to avoid an Infotrax situation, ensure that you adopt a privacy-by-design approach when rolling out new projects. Regularly conduct risks assessments to ensure that you are aware of risks and take reasonable steps to avoid or reduce the risks.

When entering into agreements with service providers ensure that you conduct due diligence in respect of their data handling practices and security policies. As stated above, where the third party is overseas, it is especially important to take reasonable steps before disclosing personal information as your company may be liable under the Privacy Act 1988 for any mishandling by the overseas recipient. Reasonable due diligence steps may include the following:

  1. Ensure your contract with the service provider is adequate. Your contract should:
    • address compliance with particular privacy requirements and require the service provider to provide warranties in respect of, for example, its level and standard of data protection compliance and indemnities for any breach of the warranties and for any loss caused by a data breach;.
    • address data breach notification requirements, including:
      • the procedures which must be followed should a data breach occur, (including details of when, how and what is required to be notified to you); and
      • requiring the contractor to cooperate with you and to investigate fully and promptly contain the breach.
    • require the service provider to be liable for any costs you incur if there is a breach of the data they hold on your behalf. If the OAIC and affected individuals are required to be notified, ordinarily your company would be responsible for notifying affected individuals because your company has the direct relationship with those individuals;
    • include mechanisms to ensure that data protection obligations are being met, such as reporting requirements; and
    • address what must happen to your company’s data when the contract ends.
  2. You should also consider whether the service provider should be permitted to subcontract its obligations or use your company’s data for its own purposes.
  3. Ask the service provider for evidence of its IT security practices and policies. Has the service provider been certified as compliant with ISO 27001, an internationally recognised standard that sets requirements for information security management systems?
  4. The service provider’s IT systems should be required to be audited too, for example, on at least a yearly basis.

Regardless of whether you outsource your IT arrangements:

  • Your IT team should be vigilant and ensure that updates and patching are completed routinely and promptly when released. Obsolete software should be removed from systems.
  • You should also have a data breach response plan that you can activate and a data breach response team to manage the crisis caused by a data breach. Should you have an actual or suspected data breach, you may wish to also engage external IT experts to urgently assess your systems to identify any security issues and fix those issues.
  • Do you have a data retention policy? When you no longer require personal information, it should be destroyed or deleted. Do not hold onto personal information indefinitely or for some future use of which you are currently not aware.

There is no shortage of resources to assist you with privacy compliance. The OAIC publishes an extremely useful and easy-to-read Guide to securing personal information, which outlines many examples of “reasonable steps” which should be taken by businesses to comply with their obligations under the APPs.2

The above list is not exhaustive and hopefully your company is already undertaking the above routinely. If not, now is the time to start.

If you have any concerns or questions, please contact us.

1. The FTC is able to issue a complaint of this nature where it reasonably believes a law is/has been violated and the proceeding is in the public interest.
2. https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information/.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.