The recent cyber attack, known as WanaCry or WannaCrypt, has shone the spotlight on information security challenges facing Australian organisations. The large-scale ransomware attack has allegedly affected over 200,000 computers across 150 countries, including a number of Australian businesses. The attack allegedly locks down files on an infected computer and a ransom is then demanded to release the files.
An attack of this unprecedented magnitude highlights the fundamental importance of an organisation having systems and processes in place to handle information security risks, particularly where personal information is held electronically.
This message is consistent with the Privacy Commissioner’s findings released last year, following its joint investigation into the hacking of adult dating website, Ashley Madison (which resulted in the personal information of approximately 36 million Ashley Madison users, including Australians, being made publically available).
A key lesson from the Commissioner’s investigation report, reflected in the enforceable undertakings imposed on Ashley Madison, is that in order to comply with the Privacy Act 1988 (Cth), organisations holding personal information should have robust information security measures in place including:
- a security policy or policies
- a risk management process that addresses information security matters, drawing on adequate expertise where necessary and identifying key personnel to respond to data breaches and
- adequate privacy and security training for all employees and contractors with network access.
While news of the global cyber attack continues to break, it is timely that the Australian Information and Privacy Commissioner has this week launched Privacy Awareness Week for 2017. This initiative is aimed at raising awareness of privacy issues and exploring privacy through the theme ‘Trust and Transparency’ which focuses on the public’s trust in organisations to handle personal information with transparent processes and with care.
Australian organisations may be in for a bumpy road ahead, particularly with the seemingly growing risk of cyber crime. Organisations need to ensure their systems and processes are up to date to minimise the risk of a data breach. In particular, where the risk of reputational damage is high in the event of a data breach (by virtue of the type of personal information that an organisation holds) a proactive rather than reactive approach is crucial.