On 12 March 2014, we saw several significant amendments to privacy laws introduced to the Privacy Act 1988 (Cth), which regulate the collection, storage, use and disclosure of a person’s personal information. Notably, these amendments introduced the Australian Privacy Principles.
Towards the end of 2014, Sony Pictures Entertainment was the victim of a “digital break-in” by a hacking group called the “Guardians of the Peace”. As a result, the phones, email accounts and computers of Sony Pictures Entertainment were all compromised. Apart from the online distribution of unreleased movies, the hacking group also released confidential personal information of employees. This included personal information such as private emails, employee salaries, workplace complaints, home addresses and social security information.
The hack of Sony Pictures Entertainment highlights the magnitude of commercial and reputational loss that can be incurred when personal information of employees or clients held by any entity is compromised.
Australian Privacy Principle 11 of the Privacy Act 1988 (Cth) states the following:
Australian Privacy Principle 11 — security of personal information
11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
a. from misuse, interference and loss; and
b. from unauthorised access, modification or disclosure.
In an increasingly digital world, where large volumes of information can be collected, accessed and stored remotely (for example on a remote server or via cloud computing services offered by third parties), it has become increasingly easier for an entity to fail to take all such reasonable steps to protect personal information.
Notably, interference with the Privacy Act 1988 (Cth) can in certain circumstances result in awards of compensation, and additionally even a civil penalty of a maximum of $1,700,000.00 (if the entity is a body corporate).
We recommend that your organisation have a review of its own policies and procedures if your organisation is collecting and storing information, and whether your internal practices can be improved. Some common areas that you may wish to consider are:
- Are you regularly assessing and managing the risk of a potential information security breach (and keeping records of your regular assessments and risk management steps)? How is information kept secure on your laptops, phones and physical records?
- Do your employee contracts appropriately deal with confidentiality, during and after employment?
- Do you have appropriate procedures in place to deal with data breaches? For example, where company laptops or phones are stolen or lost. If so, are you regularly reviewing these procedures?
- Are you regularly destroying or de-identifying personal information that no longer needs to be kept (please note that this is a requirement under Australian Privacy Principles 4 and 11).
A further resource on Data Breaches has been published by the Office of the Australian Information Commissioner here.
For more information regarding Privacy Laws
Please contact our Business Development Team or call us on (07) 3252 0011 to book an appointment with one of our specialist Commercial Lawyers today.
 A timeline of these events can be read here: http://www.businessinsider.com.au/sony-cyber-hack-timeline-2014-12