The Optus data breach of September 2022 is possibly the largest to have ever affected Australia consumers. Hackers have reportedly gained access to the personal information of 11 million individuals – 2 million more than currently have an active account with Optus. According to the ACCC’s Scamwatch service, the stolen data includes: names, dates of birth, phone numbers, emails and postal addresses as well as some driver’s licence numbers, Medicare numbers and passport details.
The fallout for Optus is likely to be severe (even the FBI is now getting involved) and is also likely to lead to significant changes to the Australian privacy regime. The Privacy Act 1988 (Cth), which was already under review by the Attorney-General’s office, has been criticised for lagging behind international standards such as the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL). The Optus hack is only likely to hasten calls for the law to be substantially strengthened, and the Minister for Home Affairs and Cybersecurity, Clare O’Neil, has already proposed interim reforms that would enable businesses to react more quickly and more effectively to security breaches.
In comments that are likely to come back to haunt it, Optus filed submissions in 2020 to the AG’s review, arguing against a right for individuals to require their personal information be deleted (a similar right exists under the GDPR and PIPL). Optus suggested at the time that this proposed change would impose significant technical hurdles and costs on businesses, far outweighing any benefits. Optus also opposed a second proposal that would have allowed consumers to bring direct legal claims for privacy breaches.
Currently, the Privacy Act requires some (but not all) businesses to:
This language is vague and non-specific (even when read alongside the official guidelines which go into much greater detail), with “reasonably” and “reasonable” doing a lot of heavy lifting. The net result is weak rights for individuals and weak obligations for businesses, with considerable grey area in between.
Proposed changes to the Privacy Act are now likely to focus on:
In the meantime, Optus finds itself in a serious predicament, having to firefight on multiple fronts in a fast-changing landscape. Its immediate priorities will include:
With fines for data breaches in Australia currently capped at just over $2million, the greatest risk to Optus is likely to be in the form of lost business as users transfer to other operators. Optus faces an uphill struggle to repair its reputation and earn back the trust of customers, and this will not be helped by reports that, far from being a “sophisticated attack” as first claimed, the hack was in fact more a case of leaving the back door wide open.
New information about this data breach and its repercussions is coming to light all the time. If you would like to discuss your rights or obligations under the Privacy Act and related regulations, please contact our data protection and privacy specialist Graeme Fearon.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2022