The Privacy Commissioner has decided that a sophisticated cyber attack on an organisation does not necessarily mean that the organisation has failed to take ‘reasonable steps’ as required by NPP 4.1.

The Privacy Commissioner conducted investigations after Dell Australia informed the OAIC that data relating to Dell Australia’s consumer, small and medium business customers had been compromised by unauthorised access to Epsilon’s email system and that this involved customers’ email addresses as well as first and last names.

The investigation focused on whether the overall security safeguards in place within Epsilon and Dell Australia were consistent with the National Privacy Principles contained in Schedule 3 of the Privacy Act.

The Privacy Commissioner considered that at the time of the incident Epsilon had reasonable steps in place to protect the personal information it held and in his view Epsilon has met its obligations under NPP 4.1 of the Privacy Act.

In the Commissioner’s view, by entering into the contractual agreement with Epsilon, Dell Australia had reasonable steps in place to protect the personal information it holds from misuse and loss and had met its obligations under NPP 4.1.