How is the WannaCry ransomware attack related to information privacy?

The Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles (APPs) which Australian Government agencies and most private sector organisations must follow for handling personal information.

APP 11.2 requires APP entities to take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

This past weekend's WannaCry ransomware attack reportedly infected over 200,000 computers on six continents, and encrypted all the files on those machines. If a user fails to pay the $300 ransom within three days, the price doubles to $600; then after a week, the user’s files are at risk of being deleted entirely.

Unlike the ways other malware can spread, WannaCry did not infect these machines because employees clicked on a malicious link in email. Instead, WannaCry infected their computers simply because they were running on unpatched versions of the Windows operating system.

Regular patching of your organisation's operating systems, applications and websites is an important way to protect against the risks of malware - and is also one of the (but not the only) "reasonable steps" that APP entities should take to comply with their obligations under APP 11.2.

Our Privacy and Data Protection team can help your organisation to assess its privacy compliance and ensure it complies with the APPs. If you are unsure whether your organisation is subject to the Privacy Act, please contact our Intellectual Property & Technology team for a quick check.