Moves to build privacy-law compliant IT systems may prove ineffectual in the wake of the new breed of self-propagating viruses. The impact could leave IT managers to face litigation if their company is hit by a virus or Trojan horse that exposes a database of personal information.
The latest virus breeds are able to pick up personal information from a company's database and spin it out to millions of prying eyes.
The consequences could mean a damaging blow to a company's reputation and a costly payout.
Whether this scenario becomes a horrible reality, begins and ends, it seems, with the IT department.
Robert Walker, local partner IT&T with law firm Baker & McKenzie, said the security of personal information held by a company is a "critical issue" for IT managers and "there are a lot of implications".
"There is the matter of dealing with the differentiation of information. If a company is holding information, IT needs to track the information and who has consented to its use for a secondary purpose; this would mean two databases need to be maintained.
"But IT also needs to be able to deal with the consequences of people changing their mind and deciding that their information could not be used again after [say, a second mailout]. Then there is the matter of keeping antivirus solutions up to date," he said adding that if a virus breached its defences, the company would be able to show it had taken reasonable measures to secure confidential personal information.
Paul Ducklin, head of global support at Sophos Anti Virus, said that about 72,000 viruses are known to exist at the moment. About 1000 viruses were discovered last month, 40 of which were serious enough to warrant virus notification.
According to the Privacy Act's National Privacy Principle (NPP) 4 on data security, a company must take "reasonable steps to protect the personal information you hold from misuse and loss and from unauthorised access, modification or disclosure".
What 'reasonable' means is the problem facing companies, and in particular IT managers.
If a virus resulted in the disclosure of personal information, the person(s) involved could contact the company involved and, if they received no satisfaction, could then lodge a complaint with the Privacy Commissioner.
The commissioner would then make a ruling on the matter, but for the ruling to be enforced the matter would have to pass to the Federal Magistrates court, which would either disallow the ruling or award monetary compensation.
Irene Graham, executive director for Electronic Frontiers Australia, said enforcement of the act is "not very strong". So even though this sort of scenario falls into a "grey area", it is still an issue that companies should keep an eye on.
Walker said that if a company has taken all "reasonable steps" to comply with NPP4, a company "would not be liable" and it would be hard for anyone to get the commission to rule against the company.
"The Privacy Act is far more likely to be governed by the bad publicity," Walker said.
Despite legal action against a company being unlikely in this sort of matter, the situation and consequences would be profoundly different if the personal matter disclosed by the virus was, for example, notes from a personnel file, he said.
Ian Dixon, partner industrial relations at Baker & McKenzie, said the possibility of a defamation action could be real in that event.
How to keep the nasties out of your networkJust installing antivirus software is not enough to protect networks in an era of increasingly 'smart' viruses.
Paul Ducklin, head of global support at Sophos Anti Virus said antivirus solutions are not a "fit and forget solution".
"There are other behavioural things that companies can do to reduce exposure to viruses. Antivirus software is not enough, companies need to look at how attachments are e-mailed and the way they use the Internet."
Ducklin said IT managers need to implement a set of guidelines and policies for safe computing.
Suggested guidelines include:
* A strict policy that downloading executables and documents from the Net is unacceptable and that everything has to be virus checked before it is run.
* Block unwanted filetypes (such as vbs, shs, exe, scr, chm and bat) at the e-mail gateway.
* Block any file that has 'double extensions' from entering the company.
* A firm hoax policy should be put in place.
* Turn off Windows Scripting host, if it is not needed.
* Change the CMOS bootup sequence from drive A to drive C to stop pure boot sector viruses.
* Make regular backups.
* Subscribe to an e-mail virus alert service.
* Keep up to date with Microsoft's security bulletins.