In brief

  • Pacnet experienced a cyber-attack in April, compromising the personal details of thousands of customers.
  • Despite the fact that under the current Privacy Act there is no requirement to notify affected individuals or the Office of the Australian Information Commissioner (OAIC) of a serious data breach, organisations should nevertheless take measures to reduce their risk of a cyber-attack and limit the impact of an attack that has been detected.

Cyber-attacks on the rise

Telstra announced on Wednesday 20 May 2015 that its recently acquired Asian subsidiary Pacnet, which provides data centre and undersea cable services, was the target of a cyber-attack incident in April that infiltrated Pacnet’s entire corporate network.1 The breach was triggered by the uploading of malicious software to the network and has affected thousands of customers including the Australian Federal Police, Department of Foreign Affairs and other government agencies, whose emails and other user credentials have been exposed.

The Pacnet cyber-attack is certainly not unique – increases in online business activity and the increasing collection, storage and hosting of data by companies (both locally and in the cloud) has created an environment in which personal information is constantly vulnerable to attack.

The occurrence of high profile data breach incidents is becoming more prevalent, with some of the most well-known attacks including the Target breach in 2014, in which the credit card details of millions of customers were accessed, and the eBay breach of users’ log-in details in 2014 affecting more than 100 million users.2 Sony also experienced a significant and widely publicised data breach in 2014, allegedly in response to the pending release of 'The Interview', resulting in the personal information of over 47,000 employees being compromised.

Australia has also fallen victim to cyber-attacks, with hackers gaining access to the credit card details of 77 million users of the Sony PlayStation Network in 2011, and Optus reporting three data breaches earlier this year.

Legal implications of cyber-attacks in Australia

The Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act) issued by the OAIC regulate the handling of personal information. Of particular relevance to cyber-attack incidents is APP 11, which requires organisations to take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification and disclosure. Although Pacnet is an Asian entity, it would still be subject to the APPs because it ‘carries on business in Australia’.

OAIC’s ‘Data breach notification – A guide to handling personal information security breaches’2 publication provides useful guidance on an organisation’s responsibilities in cases of cyber-attacks. In particular, it asserts that affected individuals and the OAIC should be notified of a security breach as soon as reasonably possible when the breach creates a real risk of serious harm. The Sony PlayStation incident in 2011 serves as an example of an organisation’s failure to meet this standard, with the OAIC expressing concern that Sony only notified affected customers and the OAIC 7 days after becoming aware of the incident.

Reforms to the Privacy Act that came into effect in March 2014 introduced a new power for the Australian Privacy Commissioner (the Commissioner) to accept an enforceable undertaking from an organisation regarding data breaches. Following its data breach this year, Optus provided the first enforceable undertaking under this reform that it would complete a wide ranging independent review of its information security systems, and implement any of the Commissioner’s recommendations.

The Privacy Amendment (Privacy Alerts) Bill 2014 (the PA Bill), which has been before the Senate since March 2014, creates a mandatory requirement for organisations to notify the OAIC and affected individuals as soon as practicable if it believes on reasonable grounds that there has been a serious data breach. In a joint media release on 3 March 2015, the Australian Government agreed with Recommendation 38 made by the Parliamentary Joint Committee on Intelligence and Security to introduce a mandatory data breach notification scheme before the end of this year. The Australian Government will consult on draft legislation, which may result in the enactment of the PA Bill or some other legislation.

Managing cyber-attack risks

In light of this most recent breach, organisations should carefully consider the measures that can be taken to reduce their risk of a cyber-attack.

Within an organisation, the development of a security and data management strategy is increasingly important (and indeed almost unavoidable). This strategy might  include or incorporate:

  • installing security mechanisms such as malware protection to prevent or detect security breaches,
  • restricting user privileges to limit access to important information,
  • conducting regular testing and monitoring to ensure the security measures are working efficiently,
  • increasing education and awareness about acceptable and secure use of the organisation’s systems, and
  • implementing a process for dealing with breaches if and when they occur, including containing the breach as soon as practicable, informing affected parties, and assessing what steps might be taken to prevent further breaches.

The broader commercial context of the Pacnet security breach also serves as a reminder to consider the security and information technology management practices and processes of a company as part of any acquisition process, and what steps need to be taken either during or promptly after any sale transaction to address any security risks that have come to light.