Amex Required to Strengthen Access Controls After Insider Privacy Breaches
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Overview
- Amex instructed to improve access controls following insider privacy breaches.
- OAIC inquiry was initiated after a complaint regarding personal data access.
- Amex must introduce account-level access and activity logging within six months.
- Just-in-time access controls were advised but initially opposed by Amex.
- Amex must apologize and provide compensation to the affected party.
Amex Facing Scrutiny Over Privacy Breaches
The Office of the Australian Information Commissioner (OAIC) has mandated American Express (Amex) to reinforce its data access protocols following an investigation into privacy breaches by insiders. This directive follows a complaint from a former customer, which disclosed that an Amex employee accessed their sensitive information across five internal systems during and after a personal relationship.
Required Enhancements in Access Protocols
Amex is obligated to implement standardized account-level access and action logging within a six-month timeframe. This involves generating a timestamped record every time an employee accesses or alters a customer record. Moreover, technical measures must be established to restrict employee access to particular customer information, especially for at-risk or high-profile cardholders.
Just-in-Time Access Protocols
The OAIC recommended the adoption of just-in-time (JIT) access controls to further protect customer data. JIT would limit staff access to customer records without time-sensitive triggers, such as active customer authentication. While Amex initially opposed this suggestion, the commissioner found it essential due to the sensitive nature of the data held by the firm.
Past Incidents and Increased Expectations
Previous incidents involving Amex, including a 2019 situation where customer data was fraudulently accessed, have alerted the company. As a result, Amex is subject to higher expectations concerning preventative measures to reduce insider threats. The OAIC identified Amex as being in violation of Australian Privacy Principle 11.1, necessitating a written apology and compensation to the complainant.
Conclusion
Amex has been directed by the OAIC to strengthen its data access measures following privacy breaches involving insider access. Within six months, Amex must establish comprehensive logging systems and limit access to sensitive customer data. Despite earlier resistance, Amex is expected to implement just-in-time access controls to improve data safeguarding.
Reader questions
Frequently asked questions
Fast answers to the questions readers ask most about Amex Required to Strengthen Access Controls After Insider Privacy Breaches.
What led to the OAIC investigation into Amex?
The investigation was initiated by a complaint from a former customer whose sensitive information was accessed by an Amex employee during and after a personal relationship.
What are account-level access and action logging?
These systems generate timestamped records any time an employee accesses or modifies a customer record, improving transparency and responsibility.
What is the objective of just-in-time (JIT) access controls?
JIT access controls are intended to restrict staff access to customer records, requiring time-sensitive triggers like customer authentication to avoid unnecessary data exposure.
How has Amex reacted to the order?
Amex initially resisted the JIT requirement due to practical concerns but is now mandated to comply with the OAIC’s directives to strengthen data protection measures.
What compensation must Amex provide?
Amex is required to issue a written apology and provide compensation for both economic and non-economic damages, along with covering the complainant’s expenses related to the case.
