Last year, Australian carrier Telstra asked regulators to investigate a mail-merge error that resulted in 220,000 letters being sent out to incorrect addresses. The letters contained customer names, telephone numbers, and telephone plans.
According to a report on the incident by Australian Privacy Commissioner Timothy Pilgrim, the breach only affected 60,300 customers.
“Our investigation has confirmed that while Telstra breached the Privacy Act when the personal information of a number of its customers was disclosed to third parties; this incident was caused by a one-off human error. It was not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act”, said Pilgrim.
The government probe determined that Telstra had security measures in place to protect customer personal information involved in mail campaigns. These measures included privacy obligations in agreements with mailing houses, privacy impact assessments, and procedures to ensure staff handle personal information appropriately during mail campaigns.
“In this instance, taking into account the range of measures Telstra has in place for mail campaigns, I consider that the one-off human error that occurred does not mean that Telstra failed to comply with its obligation to take reasonable steps to protect the personal information of its customers. Therefore, I consider that Telstra has not breached this particular aspect of the Privacy Act”, the privacy commissioner said.
The commissioner determined that Telstra had acted “immediately” to prevent further breaches, notify customers, and review its data security practices.
Pilgrim related that the Australian government is currently considering recommendations from the Australian Law Reform Commission to introduce mandatory data breach notification laws in Australia.