Privacy breach: from $5 bn to zero in four months

Suddenly in January 2002, Transurban CityLink was facing claims that some 500,000 credit card numbers which it had received from its customers had been used without their consent. The Transport Minister's office said that the company might be fined $10,000 'per disclosure' for breaching privacy legislation, which would lead to fines of $5 bn even if each credit card number was used only once.

Luckily for Transurban, the huge fine did not happen. An ex-employee had taken credit card details, but had done so without the company's prior knowledge or permission.

Naturally, the Privacy Commissioner was interested in the case, and conducted a review of the company's information handling processes.

The Federal Privacy Commissioner, Malcolm Crompton, said after the review, "... while I am of the view that this incident represents a significant privacy breach, I am satisfied that the policies and procedures Transurban had in place at the time were reasonable ..."

We believe that the lesson for organisations is this: that the Privacy Commissioner, in assessing whether Transurban was in breach, had looked to the company's policies and procedures. Presumably if there had not been sufficient controls in place, the Commissioner might have delivered a different conclusion. And if the breach was carried out by an existing employee, and Transurban had not had policies against the breach, the company itself might have been on the receiving end of a hefty fine after all.

If you'd like to discuss your organisation's privacy policies and procedures, please give us a call.

Sources: "The Age", 30 Jan 2002 "Citylink credit card breach"; ABC Melbourne 30 Jan 2002, "CityLink Internet Credit Card Scam", Office of the Federal Privacy Commissioner, 24 May 2002, "Transurban privacy review completed"

This article may be reproduced only with the permission of HCi (email HCi ). Copyright HCi, 2001-2.