Breaches of compliance obligations for separation of its wholesale and retail business caused mainly by staff errors continued to plague Telstra throughout the 2015-2016 financial year, according to a report by the regulator.
But despite the breaches, there’s been a gradual turnaround in the situation with the competition regulator, the ACCC, now giving a tick of approval for improvements in compliance implemented by the telco.
The improvements have come, however, only after several breaches of Telstra’s obligations under the Structural Separation Undertaking (SSU) compliance occurred from errors made by Telstra staff – resulting in the unauthorised disclosure of confidential or commercially sensitive information regarding wholesale customers.
The Australian Competition and Consumer Commission report tabled in Parliament on Thursday notes that overall, Telstra’s compliance with its SSU has continued to improve during 2015-16, with fewer breaches reported than in previous years.
{loadposition peter}“While there remain a small number of compliance issues, these are largely attributable to errors made by Telstra staff in the course of their day-to-day work or in relation to Telstra’s NBN Migration Plan, system or data quality issues,” ACCC chairman Rod Sims said.
“Where breaches have occurred, Telstra has responded to these in a positive manner and the ACCC considers the remedial steps taken are likely to ensure future compliance with the SSU.”
The SSU imposes information security obligations on Telstra designed to safeguard protected information obtained by the company in the course of supplying regulated services to wholesale customers.
The ACCC says that by virtue of Telstra’s vertical integration, protected information could potentially be used to Telstra’s advantage in downstream markets – but information security obligations in the SSU require:
- A strict prohibition on the disclosure of protected information to retail business units unless the wholesale customer has authorised the disclosure; and
- A prohibition on Telstra using or disclosing protected information in a way that would be likely to enable its retail business units to gain or exploit an unfair commercial advantage over its wholesale customers.
The ACCC says that, as with previous years, the most common SSU compliance issue during the 2015-2016 year was Telstra’s failure to prevent unauthorised disclosure of protected information.
It says the issues arose as a result of a number of isolated incidents that occurred due to staff error, but in each of the three reported instances, Telstra took action to contain the risk and sought to address the issue through coaching and ongoing training.
The 2015-2016 financial year also saw the conclusion of Telstra’s Information Security Remediation programme which the telco undertook to address a number of significant IT-related breaches identified in previous years.
The programme included a review of Telstra’s IT systems and remediation to prevent unauthorised disclosure of wholesale customer information.
After an ACCC instigated review of the programme by Ovum in 2015, the regulator says it is satisfied the remediation project is now complete, with all outstanding issues relating to Telstra’s IT systems having been addressed.
The ACCC now says the implementation of a new Compliance Management Framework should ensure a “continued focus by Telstra on its SSU compliance”, and the telco’s SSU reporting “can be relied on to identify any further information security issues”.
Over the 2015-2016 financial year, the ACCC also continued to monitor Telstra’s performance against its NBN Migration Plan obligations.
And its report says compliance was generally met, with Telstra reporting just a small number of minor breaches relating to delays in publishing disconnection schedules and the reconnection of services to premises previously disconnected or not permitted under cease sale obligations.
The ACCC does note, however, that in its annual compliance report Telstra identified three breaches of its information security obligations in the SSU which had not previously been reported by the commission.
Two breaches related to protected information being disclosed to staff in a retail business unit while the other related to protected information being disclosed to a network services business unit employee.
The ACCC says all three breaches were due to emails sent in error and that Telstra had taken steps to remediate the breaches and also undertaken steps to prevent future similar instances from occurring, including:
- Encouraging staff to turn off auto-populating and suggested names in Outlook;
- Encouraging staff to seek management or legal advice before any sort of information is distributed to non-Telstra Wholesale workgroups; and
- Continue emphasising the importance of checking email recipients before hitting "send" in all induction and refresher SSU staff training.