WannaCry puts spotlight on privacy
WannaCry ransomware freezes infected computers and encrypts their files demanding payment of $USD 300 in bitcoin in order to restore access to the computer. The extortion sum doubles after three days. The ransomware has the potential to infect other computers and servers on the same network. Paying a ransom does not guarantee an organisation that it will get access restored to its computers.
Ransomware is not new. It has been around for quite some time and LawDownUnder has been sounding the alarm for quite some time.
What’s new is that the ransomware bug WannaCry attacked organisations in 150 countries around the world at the same time and that it hit major organisations that provide essential services to communities.
For example, on the 12th of May ransomware infected the UK’s National Health Service (NHS) computer system. Hospital staff could not use their computers and patients data could not be accessed, which resulted in surgeries being cancelled and patients being diverted to unaffected hospitals.
The ransomware also inflected large companies such as the Spanish telecommunications company Telefónica, German railways Deutsche Bahn, and the US’s postal company FedEx. French researchers found a way to decrypt the computers but this case shows how dangerous and powerful ransomware can be and why everyone must be vigilant to such treats. A fix may not be readily available next time.
Adopting sound privacy and security policies
Organisations with a good data privacy and data security policy will be able to recover from a ransomware attack without having to pay the ransom. This is not only a job for IT specialist. Organisations need to keep an eye on their legal obligations as well. This is were it is important to include your IT law experts as well.
In fact the Privacy Act 1993 requires organisations to take appropriate technical and security measures to keep personal information secure to guard against unauthorised access, loss, or disclosure.
What is meant by “appropriate security measures” depends on the context, the personal information involved, and the state of the technological development. As a general rule the more sensitive the information is that an organisation is dealing with, the higher is the threshold for providing adequate security measures. The state of the technical development, the sophistication and the ubiquity of certain attacks to occur also plays a role in assessing the particular security requirements.
With ransomware being one of the biggest cyber security threats, organisations must ensure that they deploy the right privacy and security policies.
If the personal information which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the business may be in breach of the Privacy Act 1993.
It is therefore important that organisations are more proactive in dealing with security and privacy threats. Each organisation needs to assess the risks involving privacy breaches and which technical protection mechanisms it will deploy to defend itself against cyber attacks.
This risk assessment inevitably requires involvement of directors and managers. This task cannot be left to the information officer alone. It is not a question of if your business will be subject to a cyber attack but when it will happen.
WannacCry puts the spotlight back on privacy and highlights the indispensable need to implement privacy and security policies.
As IT law experts we navigate clients through the increasingly complex legal landscape surrounding privacy and data security. If you have a question regarding data protection and information security please contact us.