Privacy and cybersecurity law changes, post Optus

Published on the 05/10/2022 | Written by Heather Wright


The longer term impact of the Optus breach…

Changes to current privacy laws to prevent unnecessary holding of personal data by companies along with new cybersecurity laws are likely in the wake of Optus’ massive data breach. 

“We need to get in place something that encourages companies to not keep data when they no longer have a purpose for it.”

The telco this week confirmed that of the 10 million accounts breached, at least 2.1 million customers’ personal identification numbers – including passport, Medicare and drivers license numbers – were stolen with those customers likely to need to replace documents. A Sydney teenager was charged on Thursday over using information from the breach in an alleged SMS scam which saw him demanding payments from Optus customers whose data was leaked on a website last week. 

The telco has hired Deloitte to investigate the massive breach which has seen its handling of the breach very publicly called into question – including by the government – and scrutiny focused on current privacy laws and penalties for such breaches.

The Australian federal government has already announced plans for temporary emergency amendments to telecommunications regulations to help protect people caught in the breach.

Australian Treasurer Jim Chalmers announced the proposed amendments, which would include enabling telcos to temporarily share approved government identifier information with regulated financial services to allow them to implement enhanced monitoring and safeguards, this week as the ructions over the breach continue. Identifiers will also be able to be shared with Commonwealth, state and territory governments to ‘detect and assist in preventing fraud’.

Longer term, Chalmers says the Council of Financial Regulators’ cybersecurity working group will examine and report on options to further improve the ability of financial institutions to identify at risk customers and credentials by utilising an existing secure and privacy protecting data sharing platform, to enable financial institutions to further enhance their protections for consumers from financial crime.

The breach is also prompting a hard look at the Privacy Act and cyber security laws.

Attorney-General Mark Dreyfus says he’s looking at what urgent reforms can be made to the Privacy Act in the wake of the Optus breach, while Home Affairs minister Clare O’Neil has said new cyber security laws are likely, with current penalties ‘totally inappropriate’.

The Optus breach affects customers from as far back as 2017, with Optus saying it was required to keep the personal data for six years. 

That’s raised questions about how long companies should be required to keep data, with Attorney-General Mark Dreyfus saying he believes the identity verification records shouldn’t need to be kept after companies have checked it. Dreyfus says he looking at whether Privacy Act reforms he’s seeking can be made this year. 

He says companies have, for too long, been looking at data as an asset they can use commercially.

Australians need to be assured that when data is collected from them it will only be used for the purpose it has been collected for, and ‘we need to get in place something that encourages companies to dispose of data safety, to not keep data when they no longer have a purpose for it’ Dreyfus says.

“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians, it’s not to be misused, it absolutely has to be protected and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act,” he says. 

In 2020, Optus was among those opposed to privacy law changes which could have seen customers given the right to request that their personal information was destroyed. 

The review also looked at increasing rights to take legal action against companies over breaches. 

While there’s no specifics on what form any Privacy Act changes might take, Dreyfus’ comments suggest companies are likely to face stricter controls on the data they can keep and the length of time it can be retained, along with potential requirements for data to be ‘safely’ disposed of at some point. 

The need for those changes was further reinforced this week with both Telstra and NAB suffering cyber breaches via a third party platform, Work Life NAB a business rewards program from Pegasus. 

Employee names and email addresses were stolen from a platform Telstra says is no longer live, with the data from 2017. 

No customer account information was included in that breach, but details of around 30,000 staff were published on the same site where details of 10,000 of the Optus customers were shared last week. (Threats to publish additional details of Optus customers each day until a AU$1 million ransom demand was met have since been ‘withdrawn’.)

O’Neil has also flagged potential cybersecurity law changes.

She says in other countries a breach of this scale would result in ‘hundreds of millions of dollars’ worth of fines’, while Australia has a maximum fine of just over $2 million for breach of the Privacy Act – something she deemed ‘totally inappropriate’.

“There are a few things that we’re going to need to look at,” she says. 

“I think we need to be looking at a variety of issues, including the powers that I have as Cyber Security Minister, to mandate minimum cybersecurity standards which could have prevented this from occurring. A very substantial reform task will emerge from a breach of this scale and size.”

Both O’Neil and the Minister for Government Services and NDIS, Bill Shorten, have been scathing about the breach, saying it ‘should never have happened’, with O’Neil describing it as ‘basic’ rather than a sophisticated cyber attack. 

Meanwhile, for Optus – and its customers – the fallout continues. 

On Sunday, the Government again called on Optus to cooperate with government agencies, saying Services Australia wrote to Optus on September 27 asking for full details of all affected customers whose Services Australia credentials – including Medicare cards and Centrelink Concession cards – were exposed. 

Optus, for its part, said on September 28 that it was ‘in contact’ with Services Australia. It said nearly 15,000 valid Medicare ID numbers had been exposed. A further 22,000 expired Medicare card numbers were also exposed.

The Australian Federal Police and state and territory police have set up Operation Guardian in an effort to protect Optus customers affected by the breach with ‘multi-jurisdictional and multi-layered protection from identity crime and financial fraud’.

Optus is also offering ‘the most affected’ customers the option of a free12-month subscription to Equifax Protect, a credit monitoring and identity protection services. 

Both Slater & Gordon and Maurice Blackburn have also said they’re investigating possible class action seeking compensation for those affected by the breach. 

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MORE NEWS:

Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere