Hacked companies off the hook under new privacy laws

The Office of the Australian Information Commission (OAIC) has confirmed it won’t hold organisations accountable for the exposure of personal information when accessed via a cyber attack, as long as the Office is satisfied with the level of security in place within the targeted systems.

New privacy rules strengthening the enforcement power of the OAIC come into effect in 12 March 2014.

In final guidelines to the way these laws are likely to be enforced, the OAIC made a distinction between what it will treat as a ‘disclosure’ of personal information – which could incur penalties of up to $1.7 million under the new regime – and ‘unauthorised access’.

“An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information," the guidance noted.

Incidents falling into this category would include “a cyber attack” or “theft, including where the third party then makes that personal information available to others outside the entity,” the guidelines explain.

The OAIC harked back to a 2011 “sophisticated security cyber-attack” that saw the details of up to 77 million Sony Playstation user details taken from the global games network to justify its stance.

The commissioner investigated the case at the time and found that, despite the breach, Sony and its subsidiaries took reasonable steps to protect that data both before the attack and afterwards.

Based on this approach, liability on the part of a hacking victim will come down to whether or not the OAIC is satisfied that ‘reasonable steps’ were taken to protect the data in the first place.

This reasonability test will be assessed on a case-by-case basis. The guidelines reveal that the Office will take in to account “current standards and practices” in its evaluation.

It will look, for example, at the presence or absence of governance, physical and electronic security, workplace policies and training, as well as regular monitoring and review of security provisions and data access (as outlined in its April 2013 guide to information security).

But not all organisations will be assessed upon the same standards, the guidelines reveal.

Larger organisations with more resources at their disposal will be expected to have more rigorous protections in place, as will distributed franchises or dealerships and those businesses providing database and network access to contractors.

“The practicability, including time and cost involved,” of the level of security in place will be considered, the guidance noted, with the caveat that “an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so”.

The guidelines also provide insight into what the OAIC will be looking for in organisations who host personal information with a third party like a cloud provider.

The guidelines make it clear that it will expect clear contract terms defining the limited circumstances in which the provider and any subcontractors can handle the data.

The OAIC will also look for clear clauses maintaining the organisation’s control over the data, including access, changes, retrieval, and assurances that it will be permanently deleted from third party equipment at the expiry of a partnership.