The Privacy Commissioner’s (Commissioner) recent report on her determination on American Express (AMEX) in relation to insider security risk is a timely reminder that insider threat is not just an employment, cyber or conduct issue. It is also a privacy issue and, for many regulated organisations, part of their obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) and the Australian Prudential Regulation Authority’s (APRA) prudential standards.
Boards, General Counsel (GC) and Chief Information Security Officer’s (CISO) should ask whether security controls designed to keep attackers out can also prevent, detect and contain misuse by people who are already inside. Just as importantly, can the organisation prove that its controls are proportionate to the risk?
What happened in AMEX?
The complaint concerned an AMEX employee who allegedly accessed a former personal partner’s account for purposes outside of legitimate business needs. The employee’s authorised access enabled them to view customer information about the individual, including names, travel and hotel bookings, rewards information and financial transactions.
AMEX accepted that the employee had accessed the complainant’s personal information. However, because account-level logging was not uniformly enabled, AMEX could not determine whether the employee had accessed the account on further occasions.
The Commissioner found that AMEX breached Australian Privacy Principle 11.1 by failing to take reasonable steps to protect personal information from unauthorised access. The finding puts organisations on notice that authorised access can still create an unmanaged security risk when it is used for an unauthorised purpose.
Policies and training were not enough
AMEX’s security controls included:
- role-based access
- privacy and cybersecurity standards
- staff training, access reviews
- a code of conduct
- monitoring for out-of-pattern access.
The Commissioner accepted that these measures went some way towards the reasonable steps required by Australian Privacy Principle 11.1, but concluded that they were not enough.
The issue was whether AMEX’s controls, taken as a whole, were commensurate with the risk arising from insider threats. Relevant factors included the volume and sensitivity of the data held by AMEX, the potential for harm that may arise from exposure of transaction and travel information, AMEX’s sophistication and the fact that AMEX’s broader group had previously experienced an insider threat incident.
The controls the Commissioner expected
The report identifies practical controls that should be on every organisation’s insider-risk checklist. These include:
- uniform account-level access logging
- action logging
- the ability to restrict access to specific customer records
- just-in-time access
- express prohibitions on staff accessing accounts of friends and family.
The distinction between system logging and account-level logging was central. System access logging showed when an employee opened or closed an application, but it did not show which customer record was accessed or when. Action logging captured write access, but not read-only browsing of a customer account. Importantly, the Commissioner did not accept random sampling, periodic governance checks or system-level logging as substitutes for a contemporaneous, comprehensive and auditable record of access to customer accounts.
Containment mattered too. The Commissioner found that AMEX lacked practices, procedures and systems that could restrict the employee’s access once the complaint alleged misuse.
Why this matters beyond privacy
The AMEX report is part of a wider regulatory focus on insider threat. Across privacy, critical infrastructure and prudential regulation, the same question appears: can security programs that are good at keeping outsiders out also keep insiders out when their access becomes unnecessary, malicious, excessive or no longer appropriate?
Under the SOCI framework, entities required to maintain a critical infrastructure risk management program must address personnel hazards. That means identifying access to critical systems and functions, assessing the material risks posed by employees and contractors, and minimising or eliminating those risks so far as reasonably practicable. Personnel security, identity and access management, monitoring and rapid revocation should operate as one control environment.
For APRA-regulated entities, CPS 234 and CPS 230 similarly require information security and operational risk controls that respond to threats across people, processes, technology and service providers. The threat is not limited to a deliberately malicious employee. It includes trusted users who become compromised, coerced or subject to conflicts of interest or foreign influence.
The same control uplift can address all three regulatory lenses. Account-level logging, anomalous-access monitoring, purpose-bound access, conflict disclosure and rapid restriction can create a defensible response to insider threats.
What should organisations do now?
Boards, GCs and CISOs should review their current control environment through a single insider-threat lens. Can the organisation show who accessed sensitive data, when and why? Does monitoring cover every team with sensitive or privileged access? Can access be restricted quickly when a concern arises?
The practical message is that the OAIC will expect organisations to have preventative technical controls, not just policies and training, and to be able to provide evidence of customer-level access after the fact. Train and trust your organisation, but use technology to verify and restrict where required.