Markets 
Australia’s privacy watchdog has sanitised the public version of its findings into American Express’s privacy failures to favour the US payments giant, the Australian Senate has heard.
The watchdog has also downplayed the scale of the card provider’s failure, Greens Senator David Shoebridge told Parliament last night, saying its public report did not contain the fact that “Amex has close to 90 million cards in force worldwide with 1500 staff in Australia and more than 70,000 globally” all with the kind of “untracked access” to customer data uncovered by the watchdog.
The Office of the Australian Information Commissioner (OAIC) last month upheld a customer’s complaint that an Amex employee he briefly dated used his position to spy on the customer’s card accounts and activity, raising serious questions about the company’s internal security controls.
The customer’s four-year battle for acknowledgment that American Express breached his privacy entitled him to more than $23,500 in economic losses alone, which commission staff flagged last year would constitute the highest payout in Australian privacy breach history.
But the potential implications for the data security of the millions of American Express customers worldwide remain unknown, after Privacy Commissioner Carly Kind decided not to publish her full determination beyond a summary that will be posted on the commission website.
Kind found that American Express breached the Privacy Act and published a summary of her determination last Monday.
She found the company had failed to take reasonable steps to protect a customer’s privacy after he complained that one of its employees, whom he briefly dated, had spied on his accounts.
However, the summary significantly watered down her full findings, which she has kept secret, Greens Senator Shoebridge said, using parliamentary privilege to detail some of them.
“The public summary published by the Privacy Commissioner softens, recasts and omits critical findings in the full determination,” he said. “And in every instance those softenings, those recasts, those omissions are in Amex’s favour.”
The commissioner threatened the customer who identified the “insider threat” within American Express and filed a complaint to her with legal action if he released details of her full determination.
When publishing her summary, the commission said full disclosure could harm individuals and create risks to American Express’ cybersecurity, as well as undermine the integrity of the complaints process.
The senator gave examples of where Kind’s summary differed from the secret, full determination, which the public has been denied access to.
“The public summary removes any reference to the fact that the employee involved may still have access to [the customer’s] personal information,” he said.
“By contrast, the final determination reads, and I quote, ‘The respondent has not provided evidence as to whether all of the complainant’s personal information has been purged. The employee may still retain the ability to access it’.
“The public summary also edits out the fact that following Amex’s internal investigation after they received [the customer’s] first complaint, the employee retained access to [his] account and accessed it – again.
“The final determination reads, ’The respondent is aware of the employee accessing the complainant’s account after the complainant’s complaint. It is concerning that the employee continued to have access to the relevant systems that was not restricted or suspended … That’s in the final determination, but not allowed to be shared.
“By contrast, the sanitised public summary merely reads, ‘Amex took steps to investigate, including reviewing the employees’ access logs’.
Shoebridge told Parliament that no access logs were kept for 70 per cent of American Express systems, which hampers the detection of illegitimate access. This figure was in the final determination but not in the summary given to the public, he said.
“The public should be made aware of these risks. It should be the commissioner who makes them aware, not a complainant who is then threatened with legal proceedings if he tells the truth.”
In a statement last week, American Express acknowledged the commissioner’s findings. “We take this matter seriously,” it said. “We are committed to protecting customer information and handling personal information responsibly, with privacy and data protection as important priorities. As we have done throughout the investigation, we will continue to work with the OAIC [Office of the Australian Information Commission] and take steps to address its recommendations.”
Amex said it would provide a written apology to the customer.
Be the first to know when major news happens. Sign up for breaking news alerts on email or turn on notifications in the app.
Julie Lewis is the Features Editor of The Sydney Morning Herald.Connect via email.From our partners
Read the full article here
