ICT610: Manage Copyright, Ethics & Privacy - NAB Breach Report

Verified

Added on 2023/05/31

AI Summary

This report details a privacy breach incident at the National Australia Bank (NAB) involving the unauthorized disclosure of employee information via a USB drive. The report includes a series of communications, including a complaint response, and further internal communications regarding the incident. The analysis covers the breach's impact, legal implications, and the bank's response, including investigation steps, and the implementation of new policies to prevent future occurrences. The report references the Australian Privacy Principles and relevant legislation, and it concludes with a summary of the actions taken and recommendations for improved data security and employee data protection within the organization. It highlights the need for stricter controls on data storage devices, employee training, and enhanced privacy policy enforcement. The investigation involved network forensic experts, privacy policy committee meetings, and feedback mechanisms to ensure the effectiveness of policy changes.

Running head: MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
Advanced Diploma of IT project Management
Manage Copyright, Ethics
And Privacy in an ICT
Environment
Name of the Student
Name of the University
Author note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
1. Company: National Australia Bank
CC: Facilitator@NAB.com
SUB: Response to Privacy Breach Complaint
Dear Sir/Madam,
This letter is in regard to the complaint that you filed on 5th November 2018. Your complaint
has been filed as 5/11/2018/NAB/001.
We have registered your complaint in the above complaint number. We are assessing all the
information you have given to us and investigation is going on. We may have to disclose the
information provided by you for investigations purpose, if necessary. It there is any requirement
to disclose the information overseas, we will discuss with you first. The privacy policy is helpful
to describe the process of collecting as well as using personal information. The access to and
utilize of the process consisting of personal information.
Community services policies and procedures is one of the organizational policies followed by the
employees of an organization. Under the policy, there is a clearly defined procedure to detect and
updating the Community Resource Index so that the employees are aware of the services that are
available. However, it is important to provide a guideline for the case referencing and referral
protocols consisting of the process that the referrals need to be developed and the type of
information, which can be shared with the services as well as ongoing roles and responsibilities
of the services with the client. In addition, a policy for the extent of client information can be
kept after the clients. These are involved with service. For instances, multiple governments
generate outline of the legal demands for the employees related to storing as well as maintaining
information.

2MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
Generally, when a private security breach occurs, an employee or the complaint needs to send a
complaint to the concerned organization which has been laid down by the office of OAIC(office
of the Australian Information Commissioner) which is guided by “The Privacy Act 1988” and
other legislation of the Government of Australia. The privacy policy has outlines the process of
managing personal information as well as safeguard privacy pursuant to the Privacy Act 1998 as
well as Australian Privacy Principles. The policy can provide an easy process of understanding
the summary of personal information and the projects. After filling, there is a waiting period of
30 days for the action and reply of the organization after which you can directly take your
complaint to the OAIC.
As of now, you will have to wait for further communication. I would also like to appreciate your
gesture of communicating with us on behalf of our Bank.
Thanking You
Regards,
XYZ
Policy Department.
2. After referring to the privacy policy of the National Australian Bank, it has come to my notice
that, this kind of information leaking out was not thought about while formulating the policy.
Legally speaking, there was a breach of bylaws was against public viewing of the appraisal
report of any employees of the bank. Interested people can also use the employment record of the
employees for evil intent. It was also important for the Bank to secure this information. More
than breach, it has been a loss of oversight from the policy formulation committee’s side.

3MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
The Australian Privacy Principles are contained in the Privacy Act 1998 that can outline of the
process of managing personal information as well as safeguard privacy pursuant to the act. The
policy provides an east way for understanding the summary of the type of personal information
collected. In addition, the process of holding personal information needs to be amended. On the
other hand, evaluating and correcting personal information is important for the privacy policy.
All the details that have been retrieved by the USB that you have submitted have been forwarded
to our security experts and other related departments. Many new rules regarding data security
have to be made in order to prevent further lapses. Steps have to be taken the Bank management
in the implementation of the cyber laws of Australia more effectively such that future breaches
could be avoided. There might be a concern for the entire employee who is currently working for
the bank for their private details like financial and physical being leaked.
3. SUB: Regarding Privacy Breach Complaint
Dear Mr. Edward Powell (Facilitator),
I am writing this letter to discuss about the complaint that we have received on 5th November
2018 about a potential security breach in the premises of the National Australia Bank Ltd. The
concerned complaint number is 5/11/2018/NAB/001.
After investigating the concerned USB drive, there was any confidential report of the employees
of our bank that on wrong hands could have proven to be disastrous for the concerned individual.
Along with that, the USB that was submitted also contained employees some financial details
that breach our “Credit sharing policy”.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
Distribution of the employees needs to be passing out of written or printed materials. The leaflets
as well as handbills are providing information regarding the union as well as containing different
campaign propaganda. Usually, a solicitation is differentiated from the process of distribution as
the oral as opposed to the written. On the other hand, there is an exception for union
authorization card. The policy needs to be communicated to the staffs at commencing of the
employment where the employer needs to ensure that the staffs sign and acknowledge that have
received the policy.
I would also like to extend my invitation to a formal meeting related to this security lapse in our
organization. This would allow all the related department to work in a coordinated manner. Your
presence would be really appreciated.
Thanking You
Regards,
XYZ
Policy Department
Encl: USB Drive Information
4. The USB seems to be not exited our Bank premises, internal investigation of the USB should
be taken to comment of anyone did sent or copied this information. The network forensic experts
could be able to then determine from which system the USB had been linked or use. The culprit
in the organisation must be named and shamed to prevent any future attempt to sabotage the
privacy policy of our Bank. We should really take it as a warning and re-evaluate our company’s
privacy policy, as soon as possible, keeping in mind all the latest cyber-related threats that have
been developing in Australia. In addition, new work procedure and development as well as

5MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
handing out the feedback, new work procedure is required to implement through proper
planning. The employees need to follow the organizational policy and privacy policy.
Controlling the USB flash drives within the environment is required to develop in the form of
written policy. The policy is acceptable for portable storage devices. Most of the organizations
require the acceptable use policy that necessarily defines the users to utilize internet, telephones
as well as network resources. The users need to read and agree abiding the AUP. It is official
document, which need approval as well as support of the legal and human resource department.
It could damage the brand value of the company, and for this reason, strict policies should be
implemented for USB as well as other storage devices in which system should detect any
unauthorized data downloading in any system and immediately report that to the network
administrator. Furthermore, it is unethical for any organization to not being able to protect their
employees' information that is submitted to the Bank.
5. Company: National Australia Bank
Complaint Number: 5/11/2018/NAB/001
Complainant: Matthew Hoggard
Date: 5th November 2018
Complaint Information:
A USB was found in the parking lot of the National Australian Bank and was submitted by the
complainant. The essential investigation revealed that the USB contained sensitive information
like the employees' name, resume and appraisal reports, etc.
Steps Taken:

6MANAGE COPYRIGHT, ETHICS & PRIVACY IN AN ICT ENVIRONMENT
a. Response Letter sent to the complainant on 7th November can neither what will be done
to remedy the situation and thanking him for bringing this breach to our notice.
b. A meeting was then conducted to investigate the security breach an to verify whether the
complaint was true.
c. Meeting of the Privacy Policy committee to decide what should be done now that the
security breach is verified.
d. Addition of policy in Privacy Policy so that this kind of security breach does not occur in
the near future.
1. The employees of HR department can access information about employees but can
neither copy, edit or send any information.
2. The ability to edit or copy is only with the head of the HR department, CEO of the
National Australian Bank and the Board of Trustees. If any such kind of attempt is noticed,
provision of inbuilt warning system to nab the culprit should be initiated at once.
3. Further, any stakeholders, like 3rd party recruiting agency has to sign privacy
agreements before working with National Australian Bank in any capacity.
To make it even foolproof, feedback forms have been circulated to know the effectiveness of the
change in policy. After the feedback procedure, another clause has been added in the Privacy
Policy that while accessing private information employees will not be carrying any type of
storage devices nor mobile phones, camera, etc.
Presiding Member: XYZ
Verdict: Complaint Closed.