The Optus data breach of September 2022 is possibly the largest to have ever affected Australia consumers. Hackers have reportedly gained access to the personal information of 11 million individuals – 2 million more than currently have an active account with Optus. According to the ACCC’s Scamwatch service, the stolen data includes: names, dates of birth, phone numbers, emails and postal addresses as well as some driver’s licence numbers, Medicare numbers and passport details.
Changes to the law
The fallout for Optus is likely to be severe (even the FBI is now getting involved) and is also likely to lead to significant changes to the Australian privacy regime. The Privacy Act 1988 (Cth), which was already under review by the Attorney-General’s office, has been criticised for lagging behind international standards such as the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL). The Optus hack is only likely to hasten calls for the law to be substantially strengthened, and the Minister for Home Affairs and Cybersecurity, Clare O’Neil, has already proposed interim reforms that would enable businesses to react more quickly and more effectively to security breaches.
In comments that are likely to come back to haunt it, Optus filed submissions in 2020 to the AG’s review, arguing against a right for individuals to require their personal information be deleted (a similar right exists under the GDPR and PIPL). Optus suggested at the time that this proposed change would impose significant technical hurdles and costs on businesses, far outweighing any benefits. Optus also opposed a second proposal that would have allowed consumers to bring direct legal claims for privacy breaches.
Currently, the Privacy Act requires some (but not all) businesses to:
- only collect personal information where it is reasonably necessary for the business’ functions or activities;
- take reasonable steps to protect this personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- take reasonable steps to destroy or de-identify personal information once it is no longer needed in certain circumstances.
This language is vague and non-specific (even when read alongside the official guidelines which go into much greater detail), with “reasonably” and “reasonable” doing a lot of heavy lifting. The net result is weak rights for individuals and weak obligations for businesses, with considerable grey area in between.
Proposed changes to the Privacy Act are now likely to focus on:
- increasing fines for privacy breaches
- tightening requirements for business to implement adequate security
- strengthening individuals’ rights to control how their personal information is collected and used
- rowing back on federal requirements for telcos to retain ID verification for 6 years.
Ramifications for Optus
In the meantime, Optus finds itself in a serious predicament, having to firefight on multiple fronts in a fast-changing landscape. Its immediate priorities will include:
- investigating and fixing the vulnerabilities in its systems
- dealing with ransom demands from alleged hackers
- actively pushing accurate and up-to-date information to its customers and the general public
- handling queries from worried customers
- answering a range of official inquiries including from the Office of the Australian Information Commissioner, the Australian Signals Directorate, the Australian Federal Police, and the Attorney-General
- limiting the long-term damage to its reputation and finances.
With fines for data breaches in Australia currently capped at just over $2million, the greatest risk to Optus is likely to be in the form of lost business as users transfer to other operators. Optus faces an uphill struggle to repair its reputation and earn back the trust of customers, and this will not be helped by reports that, far from being a “sophisticated attack” as first claimed, the hack was in fact more a case of leaving the back door wide open.
New information about this data breach and its repercussions is coming to light all the time. If you would like to discuss your rights or obligations under the Privacy Act and related regulations, please contact our data protection and privacy specialist Graeme Fearon.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2022
