Is regulatory data law reform needed following the Optus breach?
Following the Optus customer data breach, which left potentially millions of customers’ information in the hands of cyber criminals — not to mention Minister for Home Affairs Clare O’Neil “baying for Optus’ blood” — legal organisations have expressed concern over Australia’s data privacy laws.
Customers of Australia’s second-largest telco may have had their names, dates of birth, phone numbers and email addresses stolen in the data breach — which was announced on 22 September — as well as license and passport numbers in some cases.
Following this, Marque Lawyers senior associate Sophie Ciufo and partner Justin Cudmore said that from a privacy law perspective, Optus is facing a number of risks — and questioned whether the telco took reasonable steps to keep the data secure.
“Australian Privacy Principle 11 obliges organisations to take steps as are reasonable in the circumstances to protect personal information they hold from unauthorised access. Determining what are reasonable steps is an entirely subjective exercise, and steps which are acceptable for your corner store are very different from those required of one of the country’s largest telco providers.
“Assuming that the privacy commissioner investigates the breach (it’s hard to see that not occurring), Optus will be trying to convince them that they had all the data security measures in place you would expect of a telecommunications behemoth with several billions of dollars of turnover which holds personal information about the majority of adult Australians,” the pair said.
“Being the victim of a data breach is not necessarily a breach of privacy laws, if you are able to demonstrate that the steps you took to protect the personal information you hold secure were reasonable.”
Whilst one of the “most concerning” aspects of the data breach was that identification documents of individuals may have been compromised, the Commonwealth’s metadata laws mean it is compulsory for telco providers to retain ID documents of their users.
The ramifications of the breach
Research fellow for the NSW Law Society’s Future of Law and Innovation (FLIP) research stream at UNSW Law and Justice Tony Song said that Optus would face three main ramifications: a regulatory enforcement response, civil litigation including class actions, and the effect on Optus’ reputation.
“First, as this is the second large data breach by Optus in recent years, they will face additional scrutiny from the Office of the Australia Information Commissioner, the regulatory body responsible for investigating breaches of privacy in Australia.
“Under Section 13G of the Privacy Act 1988 (Cth), an organisation that seriously or repeatedly interferes with the privacy of an individual or individuals may be subject to civil penalties up to 2,000 penalty units or $2.2 million. Of course, the loss of customers, legal costs, and additional expenditure on upgrading their systems will also be very costly,” he said.
“However, privacy on its own is a very high bar to set for damages, and for a class action to be brought, you need substantial losses so that it is worthwhile for the lawyers/funders to pursue. The present problem here is identifying any loss or damage. Optus has [also] lost the trust and confidence of its customers, in the case of some, forever. Trust takes years to build, and seconds to destroy. Optus now faces a long and expensive road ahead to rebuild that trust.”
Smaller businesses need better protection
Lawcover, which is an APRA-licenced and regulated professional indemnity insurer for law practices in NSW, Northern Territory and ACT, would welcome efforts to better protect businesses from cyber crime, said chief executive Kerrie Lalich.
“Since 2017, Lawcover’s professional indemnity policy has been impacted due to law practices falling prey to business email compromise (BEC) attacks, resulting in the loss of client funds. Since 2018, and as an extra step to protect law practices from cyber risk, Lawcover has purchased a separate group cyber risk policy [that] protects all insured law practices in the event of a cyber attack, at no additional cost. This policy provides $50k of first-party cover and crisis assistance to all insured law practices. Lawcover also offers law practices a range of cyber risk management resources, encourages all its insureds to have a cyber-incident response plan and an increase in technology education and application,” she said.
“Cyber attacks on law firms often come to light when there is a cyber-assisted fraud involving email to redirect a payment request (BEC). Lawcover’s claims experience shows that small law practices and those in the conveyancing area of practice are particularly vulnerable to cyber attacks. Those firms need to be particularly vigilant around cyber security.
“One step the federal government should consider is regulatory reform to require banks to cross-check account names against account numbers. In our view, this would dramatically decrease the incidence of BEC fraud and make cyber crime against small businesses less lucrative for cyber criminals.”
Do Australian data privacy laws need to be reformed?
Whether Australia needs regime change, both in terms of protecting consumers and businesses, will come down to the government, Ms Ciufo and Mr Cudmore added.
“The Home Affairs Minister is baying for Optus’ blood, claiming that it didn’t take appropriate measures to protect users’ data, fell victim to a ‘basic’ hack, and that the telco’s response to the breach is inadequate. She also flagged increasing maximum penalties for privacy law breaches. Currently, the maximum penalty is a little over $2 million, which is way behind other jurisdictions,” they said.
“There is a comprehensive review of the Privacy Act currently underway, and we think this significant data breach will sharpen the government’s focus and likely result in significantly tighter laws on data protection, and bigger penalties.”
The federal government should urgently adopt measures like the European Union’s General Data Protection Regulation (GDPR) to protect Australians, Mr Song added. The GDPR, described as the “toughest privacy and security law in the world”, is a legal framework on data protection and privacy that was put into force by the European Union (EU) on 25 May 2018.
“I think our laws should at the very least be updated to match the EU’s GDPR, which has become something of the gold standard for data protection regulation,” Mr Song said.
“This means increasing the penalties not just for the cyber criminals, as suggested by shadow home affairs minister Karen Andrews — as this will not effectively deter bad actors, who will assume they will not get caught anyway — but actually for the companies that hold, use and process all our data.
“Our current $2.2 million limit [in corporate penalties for breaches] is nothing compared to the GDPR’s maximum of $20 million euros or 4 per cent of the firm’s worldwide annual revenue. For many large tech companies, that is still peanuts to them.”
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.