The SSU creates obligations for Telstra to self-report on compliance issues on a monthly basis.
According to Telstra’s Structural Separation Undertaking Annual Compliance Report 2011–12, issued by the ACCC today, “almost all of the reported breaches concern Telstra’s obligations to safeguard Protected Information—confidential or commercially sensitive wholesale customer information provided to Telstra in its capacity as access provider of regulated services—from disclosure to the Telstra businesses that compete against wholesale customers in retail markets.”
In essence, on a number of occasions Telstra retail businesses were able to obtain information about fellow retail customers of Telstra’s wholesale broadband business, such as iiNet and TPG, that could have potentially given them an unfair advantage.
One of the biggest criticisms of Telstra when it was a vertically integrated business was the blatant advantage its Bigpond service had over other ISP wholesale customers in terms of provisioning and market intelligence. The SSU was designed to eliminate this until all of Telstra’s fixed line retail customers are moved across to the NBN.
However, as the report released today shows, breaches were still occurring between March and June of 2012.
“The ACCC is further investigating Telstra’s failure to comply with its information security obligations and, in particular, the extent to which Telstra has gained or exploited an unfair commercial advantage over its wholesale customers. A decision as to further steps, including any consequential action it considers appropriate, will be made by the ACCC following the conclusion of this investigation,” the report states.
The ACCC report outlined seven specific areas of the SSU that were breached by Telstra.
Central to them was Clause 10.3 of the SSU, which states that “Telstra will not use or disclose Protected Information relating to a wholesale customer in a manner which would be likely to enable Telstra Retail to gain or exploit an unfair commercial advantage over that wholesale customer in any market.”
According to Telstra, one of the key culprits was its legacy IT systems, which enabled RBUs (retail business units) to gain access to network codes which in turn gave them access to wholesale protected systems.
Other breaches included:
• Protected information relating to faults accessible to Telstra Retail in a shared system
• Protected information distributed to Telstra Retail employees as part of a cross-company project
• Data warehouse’ systems that enabled RBUs to have access to Wholesale Customer information
• A product manager in the Telstra Innovation Products and Marketing Business Unit with responsibility for retail pricing decisions had access to Protected Information in a Telstra billing system
According to the ACCC, however, there are hopeful signs that Telstra is improving its practices.
“While it is of concern that these breaches have occurred, the fact that these matters are now coming to light and are being addressed shows that the SSU is working,” ACCC Chairman Rod Sims said.