Privacy Obligations:

Australia and NZ’s Privacy Act’s require all reasonable efforts to maintain the security and privacy of personal information:

"Auckland technology companies Performance Solutions and GDC Communications are hurrying to alert customers of a loophole that has allowed a hacker to break into the phone systems of a dozen New Zealand Companies. Guessing passwords, the hacker was also able to divert calls and access users’ voicemail, a privacy nightmare for companies wary of giving away information to competitors."
(The Herald, NZ, 2004)

Responsibility to Recognise and Manage Risk:

• It is generally regarded as management’s responsibility to recognise and manage risk. Often this responsibility sits with the CEO or CFO.

• The Australian Stock Exchange requires that directors of listed companies comply with a number of principles. Principle 7 is to “Recognise and Manage Risk”. Click here to open in a new window the ASX guidance notes on this principle

• The Banking and Finance industry has even more rigorous requirements (via APRA).

• Organisations with significant links to the USA eg; parent company in USA or Australian company listed on the New York Stock Exchange, must comply with the risk management requirements of Sarbanes-Oxley Act 2002.

IT and Office Managers:

Given the responsibilities above it makes sense for line managers to communicate the risk of telephone hacking to those responsible for risk management in their organisation. When an organisation is hacked it is relatively common for the CEO to ask “who is responsible for that area and why wasn’t I informed of the risk”.

Home