“[I]n other countries around the world a breach of this scale would result in hundreds of millions of dollars’ worth of fines against a company … We have a maximum [fine] of just over $2 million … [for] breaches of the Privacy Act. Totally inappropriate … there are a few things that we're going to need to look at”
“And I think we need to be looking at a variety of issues, including the powers that I have as Cyber Security Minister, to mandate minimum cybersecurity standards which could have prevented this from occurring”
“A very substantial reform task will emerge from a breach of this scale and size”
Australia’s Home Affairs Minister, Clare O’Neil MP – speaking in the aftermath of the recent Optus data breach
The Optus data breach has dominated Australian news headlines over the last week. We know so far that it has affected the personal information of 9.8 million Australians[1], including the 10,000 whose details were released online by the hacker (before they apologised, withdrew their original AUD $1 million ransom demand and promised to destroy and not release any other data). It serves as a stark reminder to businesses (and government) of their statutory obligations to protect personal information and take appropriate steps to prevent and minimise the impact of cybersecurity incidents, and also a warning that law reform in this space is likely to occur sooner rather than later.
In this insight, we unpack some of the key lessons from the Optus data breach – from privacy and cyber security issues to FIRB data conditions – and consider the likely regulatory reforms that will impose enhanced obligations on businesses and government.
Privacy laws and the ways in which Optus may have contravened them have been a particular focus for Australian consumers and the media.
The Privacy Act 1988 (Cth) (Privacy Act) – which applies to most private sector organisations and Australian government agencies – and the Australian Privacy Principles (APPs), impose a number of obligations on regulated entities around the collection, security and protection, and destruction or de-identification of personal information.
Under APP 3, collection of personal information by a regulated entity must be reasonably necessary for, and also proportionate to, a legitimate business or operational purpose of the entity. The Optus data breach has raised a number of questions as to why Optus had collected (and retained) drivers’ licence numbers, passport numbers and Medicare numbers. The loss of or unauthorised access to these types of government identifiers brings a heightened risk of fraud or identity theft for affected individuals.
In a time where business and government regard data as a valuable asset and are increasingly looking to derive benefit (both commercial and operational) from analysis of the consumer personal information they hold, they must do so being mindful of these collection obligations under APP 3.
Indeed, the Discussion Paper released by the Australian government on review and reform of the Privacy Act[2] indicates an intention to move away from the current ‘notice and consent’ model of regulation under the Privacy Act, in favour of a model that imposes stricter limits on collection, use and disclosure. The Discussion Paper also suggests that a ‘fair and reasonable’ test should be applied to collection, use and disclosure – and this would apply in addition to the existing requirements around collection being reasonably necessary, and for notified purposes.
APP 11 requires regulated entities to take ‘reasonable steps’ to protect personal information they hold from unauthorised access, modification and disclosure, and from misuse, interference and loss. The expectations of a sophisticated company with significant resources are higher in this regard, and it is clear that what constitutes ‘reasonable steps’ continues to evolve and expand as the cyber threat landscape in Australia increases. It is also clear that businesses holding significant volumes of personal information, in some cases unnecessarily or inappropriately, are more attractive targets for cyber-attacks and more vulnerable to data breaches.
Data retention is perhaps one of the key lessons from the Optus data breach.
APP 11 requires regulated entities to destroy or de-identify personal information that is no longer required for the purpose for which it was originally collected, unless the entity is legally required to retain it. Holding on to personal information unnecessarily and in breach of APP 11 was an issue Australian’s privacy regulator (the OAIC) identified in its investigation of high profile data breach incidents that affected the Commonwealth Bank of Australia[3] and Uber[4].
The difficulty here, for both entities and regulators, are the data retention laws that apply across different sectors in Australia. Certain information must be kept for 2 years, 5 years, 7 years and even 10 years in some cases. Consequently, there is a tendency for regulated entities to keep personal and other information for the longest prescribed period, or indefinitely “just in case”.
In Optus’ case, as a carrier under the Telecommunications Act 1997 (Cth) (Telco Act), it is required to collect government identifiers such as drivers licence, passport and Medicare numbers for identity verification purposes, and to retain that information for specific periods in order to meet its data retention obligations under the Telecommunications (Interception and Access) Act 1979 (Cth).
Other legislation in Australia, such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and AUSTRAC reporting obligations, require identification records to be kept by financial services providers and other ‘reporting entities’ for 7 years.
For Privacy Act reform, proposals noted in the Discussion Paper for APP 11 and the security and destruction of personal information include amending APP 11 to clearly state that ‘reasonable steps’ includes technical and organisational measures, and to include a list of factors that indicate what reasonable steps may be required.
Also suggested is amendment of APP 11 to require regulated entities to take all reasonable steps to destroy the personal information they hold, or ensure it is anonymised (as opposed to de-identified) where the entity no longer needs it for any purpose. For this purpose, anonymisation is the process of irreversibly treating data so that no individual can be identified, including by the holder(s) of that data.
Even before the Home Affairs Minister, in the context of the Optus data breach, referred to the current maximum penalty under the Privacy Act for a regulated entity’s failure to comply with its obligations of AUD $2.2 million as “totally inappropriate”, moves have been afoot to significantly increase applicable penalties.
The previous Australian government had released an exposure draft of legislation known as the Online Privacy Bill[5] in 2021, which proposed increasing the maximum penalty for regulated entities engaging in a serious or repeated interference with privacy to the greater of:
Given this, and the strong calls following the Optus data breach for higher penalties under the Privacy Act to better align Australia with the penalties that apply in overseas jurisdictions such as under the European General Data Protection Regulation (GDPR)[6], we can expect the Australian government to move swiftly on such reforms.
Recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) reflect some of the most significant cybersecurity reforms in Australia’s history, expanding the scope of the SOCI Act to most sectors of the Australia economy, and introducing broad Australian government direction and intervention powers, impacting a wide range of critical infrastructure sectors and assets. The Optus data breach is the first material cyber incident that has occurred since the SOCI Act amendments came into force.
While carriers such as Optus are subject to the SOCI Act, the information sharing and mandatory cyber incident reporting obligations under the Act are not ‘switched on’ for the telecommunications sector, given existing equivalent requirements that apply under Part 14 of the Telco Act. These requirements, and the new security of information carrier licence conditions (here) and service provider rules (here), broadly track the SOCI Act reporting obligations.
Under Part 14 of the Telco Act, carriers are subject to obligations to maintain the security of their networks and facilities (potentially including databases holding customer information), do their best to protect them from unauthorised access or interference and notify the Australian government of any changes that might adversely affect their ability to comply.
It is not yet known whether Optus has breached any of its Telco Act obligations in this regard. However, it seems likely that recent events may also see the Department of Home Affairs taking a more conservative approach to approving potential network and facility changes as well as to the kinds of changes that require notification.
Under the SOCI Act, critical infrastructure asset owners and operators in other sectors, including data storage and processing, financial markets, transport, food and grocery, health and medical and energy, have until 8 October 2022 to register those assets with the Cyber and Infrastructure Security Centre (CISC), and provide operational and interest or control information. The required information includes details of the owner/operator, the asset’s location, and contractual arrangements for the operation of core functions of the asset or the management of “business critical data”[7].
Since 8 July 2022, the SOCI Act has also required responsible entities for critical infrastructure assets to report actual or imminent cyber security incidents to the Australian Signals Directorate within 72 hours of becoming aware of the incident. Or, if the incident is one that is having or has had a significant impact on the availability of the asset, within 12 hours.
Foreign acquisitions of facilities holding data with national security implications have been a focus of Australia’s Foreign Investment Review Board (FIRB) for some time. However in recent years, FIRB has taken a closer interest in any investment proposal involving a foreign investor owning or having the ability to access personal information and other sensitive, industry-specific data, or the transfer of sensitive data offshore, regardless of whether national security concerns arise in respect of the data.
This has played out in the data conditions FIRB has negotiated with foreign investors in telecommunications, financial services, health and education assets that hold or have access to large volumes of personal information. FIRB’s own guidance on the development of conditions relating to national security and sensitive data[8] note that such conditions seek to mitigate the risks of unauthorised access, corruption, denial or exfiltration, and may specify:
If a regulated entity was subject to these types of FIRB data conditions, and suffered a cyber incident similar to the Optus data breach, the incident could well amount to a breach of negotiated FIRB data conditions. Assuming the data conditions were enforceable and breached, criminal and civil penalties could be sought for breaches of the Foreign Acquisitions and Takeovers Act 1975 (Cth). For a particularly significant breach, a foreign investor could be ordered to divest (by requiring the sale of shares, assets or property). FIRB may feel compelled to take action if another regulator such as the OAIC took action in respect of the same breach.
The Optus data breach highlights the importance of businesses – and their boards – paying close attention to their privacy and cyber security obligations under Australian law, and preparing for further regulatory reforms including significantly increased penalties and enforcement measures for non-compliance.
It is impossible to develop and implement effective privacy, data and cybersecurity governance measures without a clear understanding of the data an organisation collects and holds, including where and how it stores that data. An organisation-wide privacy and data audit is an appropriate place to start, in order to:
Entities that own or operate significant infrastructure assets in any of the sectors covered by the SOCI Act would also be well-advised to carefully assess whether and the extent to which the SOCI Act, including the information sharing and mandatory reporting requirements, apply to them, and to review internal controls and processes to ensure compliance.
If you would like to discuss issues raised in this article, or how JWS can assist your organisation, please get in touch with Helen Clarke or Jennifer Dean.
[1] On 3 October 2022 Optus provided a further updating advising that 2.1 million customers have had an identity document number exposed. Of these, about 150,000 are passport numbers, and another 50,000 are Medicare card numbers.
[2] Attorney-General’s Department Privacy Act Review Discussion Paper, October 2021, available at https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/
[3] Following a data breach incident in 2016 and a cross-CBA group data access issue in 2018, and another regulatory review of CBA by APRA, the OAIC made certain enquiries of CBA which culminated in the OAIC finding that the data incidents raised issues with CBA’s compliance with APP 11. CBA agreed to provide an enforceable undertaking to the OAIC in 2019, available here.
[4] Following cyber-attacks on Uber in late 2016, the OAIC undertook an investigation and found that Uber had failed to appropriately protect the personal information of 1.2 million Australian customers and drivers in breach of APP 11. The OAIC’s statement on its determination is here and the determination decision is here.
[5] Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021.
[6] Under the GDPR, European regulators can fine businesses €20 million (approx. AUD $29.8 million) or 4% per cent of their global annual turnover, whichever is greater.
[7] The SOCI Act defines “business critical data” to include (i) personal information about 20,000 or more individuals or sensitive information, (ii) information relating to any research and development in relation to a critical asset
[8] Guidance 11 – Protecting the National Interest: Guiding Principles For Developing Conditions (Last Updated: 5 July 2022), available here.
2024 is off to brisk start in the cyber, privacy and data space – regulatory developments in cyber security and artificial intelligence (AI) continue at pace.
An increase in enforcement action by the Regulator under the Payment Times Reporting Act 2020 (Cth) (PTR Act) has been happening over the last 12 months. Companies covered as reporting entities...
Johnson Winter Slattery has advised early childcare management software provider Kangarootime on the sale of its Australian business to fellow industry participants Juice Technologies and Kidsoft...