Privacy watchdog to investigate HWL Ebsworth over security and notifications Security iTnews

pHWL Ebsworth is facing an official investigation by Australias privacy watchdog following a cyber security incident last year ppThe investigation will cover whether the law firm violated the Privacy Act by failing to protect sensitive data or properly notifying individuals affected by the breachppThe breach saw 11TB of data lost to hackers and impacted 65 government agency clients data as well as data belonging to private firms as wellppThe Office of the Australian Information Commissioner OAIC made preliminary inquiries at the time of the breach last year but said there was now a need to open a formal investigation into the law firms personal information handling practicesppDepending on the outcome of the investigation the law firm could face civil penalties or orders to compensate individuals affected by the hack such as National Disability Insurance Scheme NDIS participants whose sensitive medical records were leakedppIf OAIC is satisfied that an interference with the privacy of one or more individuals has occurred HWL Ebsworth could be ordered to take specified steps to ensure that the relevant act or practice is not repeated or continued and to redress any loss or damage suffered by reason of the act or practice a statement readppOAIC said that its investigation will cover both the protections HWL Ebsworth had in place before the breach and the actions it took to mitigate the damage to individuals affected by itppThe OAICs investigation is into HWL Ebsworths acts or practices in relation to the security and protection of the personal information it held and the notification of the data breach to affected individuals it saidppNDIS participants and prospective participants have accused HWL Ebsworth of running fishing expeditions in cases they were involved in putting the firm in receipt of a large amount of personal and sensitive datappThe firm declined to answer iTnews questions about why it collected so much information or if it had a data retention policy that would delete sensitive information once the alleged requirement for it had elapsedppSome 644 appellants in cases involving the NDIA were caught up in the HWL Ebsworth breach They still have not been told which of their specific health records were exposed ppOthers complained that they could not try to check which of their records had leaked because a Supreme Court injunction prevented them from accessing the stolen data set to checkp