Recent warnings about cyber security around the "Heartbleed Bug" should alert companies who have not updated their data protection measures to comply with the Privacy Act. Even where a company is not directly liable for any damage as a result of being hacked, there are still compliance issues around the steps taken to protect against cyber attacks.
What is all the fuss about?
What is the Heartbleed bug? What consequences should I have anticipated? Well, in order to protect your information when you're sending an email (for example), websites use a program to ''encrypt'' the data so that it looks like jumbled nonsense to anyone other than the person(s) you sent it to. Now, a computer is going to want to make sure that another computer is still on the other end of the connection, so it sends out a little pocket of data (a ''heartbeat'') that asks for a response. But an error existed that allowed hackers to send a heartbeat of their own and trick the computer into sending over data in response. Computers can store a lot of information in memory- usernames, passwords, credit card numbers- but most dangerously, this bug could steal the encryption key used to jumble up your emails, allowing the hacker to ''decode'' them and access whatever information he wanted! Whilst most of the work lies with the websites themselves to resolve the issue (and by now, all of them should have done so), it is still a timely reminder that businesses and individuals need to keep passwords secure and change them regularly - although perhaps not during a hacking event!
What about privacy concerns?
In a media release around the time of the bug, the OAIC made clear that, the Privacy Act will not hold you liable under APP 6 as having ''disclosed'' personal information when a third party has "intentionally exploited [your] security measures and gains unauthorised access to the information." However, you may still be liable under APP 11 which requires an organisation to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Simply put, if you did not take reasonable steps to protect against cyber attacks, then you may be in breach of APP 11, and this could entail significant repercussions under the Privacy Act. Contact Certex for more information about these issues and how to protect yourself against privacy laws. To see a breakdown of the Information Commissioner's analysis in previous situations, check out Telstra Breaches... It was released before the new APPs came into force, but still carries important information about how breaches can occur and what kind of actions are expected from you.