OAIC finds American Express breached privacy rules

An OAIC ruling against American Express Australia highlights insider security risk in financial institutions.
OAIC privacy ruling on American Express Australia and insider security risk in customer data access

Australia’s privacy regulator has found that American Express Australia interfered with a complainant’s privacy by failing to take reasonable steps to protect personal information from unauthorised access.

The Office of the Australian Information Commissioner published a summary report of the determination in the matter of ‘BAM’ and American Express Australia Limited, rather than the full determination, after considering confidentiality claims and potential harms linked to disclosure of sensitive information.

Australian Privacy Commissioner Carly Kind found that American Express Australia breached Australian Privacy Principle 11.1 under the Privacy Act 1988. The case followed a lengthy investigation into insider security risk within a financial institution.

The OAIC said insider security risk remains a significant but frequently overlooked threat to organisations and to individuals whose personal information they hold. It said the risk is particularly important in sectors such as financial services, where organisations store large volumes of personal information.

Under the determination, American Express Australia must compensate the complainant for economic loss, non-economic loss and complaint-related expenses. It must also issue a written apology acknowledging the interference with privacy.

The company must implement technical controls across relevant systems to restrict employee access to specific customer information, including for vulnerable or high-profile customers. It must also introduce account-level access logging and action logging across relevant systems that remain in operation.

The OAIC said the determination underscores the role of ICT access controls in protecting personal information from unauthorised access by employees.

Why does it matter?

The determination shows that privacy protection is not only about preventing external cyberattacks or data breaches. Organisations also need internal controls that restrict, monitor and log employee access to customer information. For financial institutions and other data-rich sectors, insider risk is now clearly a privacy compliance issue, not just an internal security or HR problem.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.