Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Cyber attacks do not mean businesses are ‘off the hook’

6 March 2014

‘Recent media reports have suggested that organisations that experience a data breach as a result of a cyber-attack or hack are ‘off the hook’ or won’t be held accountable for the exposure of personal information.

This view does not accurately reflect the Australian Privacy Principles (APPs) in the Privacy Act 1988 (that come into force on 12 March 2014) nor the Office of the Australian Information Commissioner (OAIC)’s APP guidelines which have been issued to support businesses and agencies implementing practices, procedures and systems that will ensure they comply with the APPs.

APP 6 outlines when an APP entity may use or disclose personal information. Under APP 6, an APP entity is not taken to have ‘disclosed’ personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. However, the organisation may still be found in breach of APP 11 when this occurs.

APP 11 requires an organisation that holds personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP 11. The OAIC has previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.

Regular review of information security measures is crucial, particularly given how regularly organisations change their processes, information, personnel, applications and infrastructure, as well as changing technology and security risks. Organisations must implement and maintain information security measures that respond to this changing landscape. The OAIC also expects that entities will regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information.

In summary, while an organisation may not be found to have ‘disclosed’ personal information following a data breach or cyber-attack (under APP 6), the organisation may still be found in breach of APP 11 if it did not take reasonable steps to protect the information from unauthorised access, such as a cyber-attack.’

Office of the Australian Information Commissioner