Australian privacy commissioner Carly Kind has ordered card issuer American Express (Amex) to implement uniform account-level access and action logging within six months,
The Office of the Australian Information Commissioner (OAIC) investigated Amex following a complaint from a former customer who had been in a personal relationship with an employee of the card issuer.
That person’s sensitive data, held on five internal Amex systems, was accessed by the employee during the relationship and after it broke down.
Amex did not dispute the access occurred.
As part of the order, Amex must now tighten its controls and logging for when employees access customer data.
Within six months, Amex must implement account-level access logging and action logging across the five relevant systems.
These create a timestamped record each time an employee accesses or takes action on a customer record.
The card issuer must also build technical controls to restrict employee access to specific customer information, including through individualised contact arrangements for vulnerable or high-profile cardholders.
Kind said in the investigation report that Amex could reasonably have implemented just-in-time (JIT) access controls.
JIT would prevent staff from opening customer records without time-limited triggers such as active authentication from customers, rather than granting standing access to all information in a system, once role-based privileges were assigned.
This obligation was deemed to be commensurate with the risks presented such as the sensitive data Amex holds, like transaction and travel data.
Amex pushed back on the JIT requirement, saying it was neither reasonable nor practicable, but the commissioner rejected this.
While the card issuer has a monitoring program with automated scanners in place, this did not extend to the employee’s team.
Initially, Amex told the OAIC that it was unable to restrict employee access to specific customer records on four out of five relevant systems and relied instead on training, policies and its code of conduct.
However, Amex later submitted that it does have the ability to suspend an employee’s system access, or to remove their entitlements completely.
OAIC said that having such a capability that then isn’t used doesn’t count as a reasonable step.
Kind noted a 2019 incident in Amex’s global business in which another employee wrongfully accessed customer names, card numbers and dates of birth, in an attempt to commit fraud.
Commissioner Kind found that this history placed Amex on notice, meaning it was held to a higher standard of preventative controls than would apply to an entity encountering insider risk for the first time.
In the current case, OAIC found that Amex had breached Australian Privacy Principle 11.1.
Amex must issue a written apology to the complainant, and pay an unspecified amount of compensation for economic and non-economic losses, along with the person’s costs related to bringing the case to the OAIC.
OAIC did not publish the full determination, only a report on its investigation, citing potential harm to individuals, risks to Amex’s cyber security, and the need to protect its own investigative processes.
