Optus data breach brings focus to urgent reform of Australia’s privacy laws

External investigations will need to be completed before all of the facts surrounding Australian telco Optus’ data breach of September 2022 are fully understood. The broad outline of the data breach is widely reported at this time. Apparently, the hacker, who held the data to ransom, stated on a forum that access to the data was gained through an “unauthenticated” or open API (application programming interface), a type of software that allows seamless data exchange between applications. Optus has revealed that they believe 9.8 million records containing personal information of current and former customers have been exposed. Some have reported that this cyber security incident may be the worst data breach in Australia’s history.

The big legal compliance questions for Optus under Australian privacy laws will include:

Did it hold personal information for longer than it needed to?
Did it take reasonable steps to ensure destruction or de-identification of personal information when the information was no longer needed?
Did it take reasonable steps to protect the personal information it held from misuse, interference and loss and from unauthorised access, modification or disclosure?
Has it met its legal obligations regarding notification and management of the data breach and its remediation?

For other corporations the big legal compliance question is what the data breach will mean for the Australian privacy law landscape moving forward.

Aside from legal compliance questions, and the potential regulatory penalties, the commercial damage to Optus as a result of the data breach will be far reaching. Data breaches are expensive for corporations to deal with. IBM’s “2021 Annual Cost of a Data Breach Report”, featuring research by Ponemon Institute, found the average cost of a data breach had increased 2.6% from AUD$6.6 million in 2021 to AUD$6.78 million in 2022^[1]. The costs to Optus will far exceed the average.

The financial damage arising from a data breach extends to investigation and containment; the costs of an external audit and legal bills; dealing with regulators; communication and compensation to affected stakeholders; and the hidden damage to reputation and brand value, customer relationships and share price.

For those executives in Australia able to learn from the difficulties Optus now faces, proactive action to rectify processes, build customer trust and enhance security is much less costly before a data breach occurs, than it is in the aftermath of a breach.

Optus has experience in dealing with data breaches and manages complex telecommunications networks and systems, so it will have been much more prepared than many organisations to prevent such breach and deal with the aftermath. In 2014 Optus was investigated by OAIC (Office of the Australian Information Commissioner) pursuant to powers under the Australian Privacy Act (Privacy Act 1998 (Cth)), after three significant data breaches arose from internal errors and insufficient testing of its IT systems. Optus entered enforceable undertakings after it was found that it did not have reasonable measures in place to safeguard the personal information held in its systems at the time the data breaches occurred^[2].

At that time Optus agreed to:

Engage an appropriately experienced and qualified independent third party auditor to review its compliance with the undertakings and to assess whether its practices, procedures and systems were reasonable to protect the personal information it held from misuse, interference or loss, or unauthorised access, modification or disclosure;
Enhance its monitoring of change management;
Enhance its penetration testing;
Review its vulnerability detection processes across the organisation concerning the security of personal information; and
Review the architecture of its principal IT systems involved in storing and handling personal information.

Notwithstanding this history for Optus and the sophistication of its technology environment, privacy and security compliance is a matter for continual review as the threat landscape changes. No organisation will be immune from breaches even if it takes reasonable steps to secure personal information. Data breaches are a daily reality for all organisations to guard against. According to the Australian Cyber Security Center, a part of the Australian Signals Directorate tasked with strengthening the nation’s cybersecurity, 164 cybercrime reports are made by Australians every day on average – or about 1 report every 10 minutes^[3].

Interestingly, API vulnerability is high on many lists of security risks. Gartner has predicted that in 2022, “API attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.”^[4] An international survey of 117,000 cybersecurity incidents found that API insecurity was responsible for annual losses of between $41- 75 billion globally and $12-23 billion in the US^[5].

At the same time as appreciating that a data breach is either likely or inevitable, the consequences seem certain to ratchet up for Australian corporations, with privacy and cyber security increasingly coming under more scrutiny by all stakeholders.

There is a growing trend for multiple regulators to become involved in questions of personal information handling on behalf of consumers. In August 2022, the Australian Federal Court ordered Google LLC to pay AUD$60 million in penalties for making misleading representations to consumers about the collection and use of their personal location data on Android phones between January 2017 and December 2018, following court action by the ACCC (Australian Competition and Consumer Commission). ACCC Chair Gina Cass-Gottlieb stated at the time:

“Companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used, so that consumers can make informed decisions about who they share that data with,” and “This is the first public enforcement outcome arising out of the ACCC’s Digital Platforms Inquiry.”^[6]

The maximum penalty for breaches of the Australian Consumer Law is the higher of AUD$10 million; three times the value of any benefit obtained; or, if the value cannot be determined, 10% of an offender’s annual turnover.

The US Federal Trade Commission (playing a similar role in the US to the ACCC), in the absence of federal privacy regulation in the US, has also long ago entered the area of privacy compliance, through use of consumer protection legislation.

There is a competing interest between, on the one hand, the privacy rights of individuals to control use of their personal information, to have it managed lawfully and in an open and transparent way and, on the other hand, the interests of large corporations which are not in favour of the compliance implications of yet tougher regulation. Tougher regulation will likely lead to increased costs of compliance and then to increased prices for consumers. In November 2020, Optus along with many other corporations responded to the Attorney General’s Issues Paper prepared as a part of the Review of the Australian Privacy Act, and the view of Optus at that time was:

“wholesale change to the well-established processes in the Privacy Act are likely to lead to substantial compliance costs and place a further drag on innovation and limit the benefits of digitisation. Consequently there needs to be a high bar to justify legislative change.”^[7]

The question now, is whether that high bar for legislative change in Australia has now been crossed. The EU (European Union) seeks to protect the privacy of individuals within the EU when information about those individuals is transferred to countries outside the EU. The European Commission has taken the view that compared to EU privacy laws the Australian Privacy Act does not offer adequate protection for personal information transferred from Europe. This has led to restrictions and additional compliance measures on the transfer of personal information from the EU to Australia. As Australian privacy lawyers can attest to, a lack of sophistication amongst some Australian businesses, in terms of adoption of global best practices in privacy and data management, and a common preference to stick to bare-minimum compliance practices under less stringent Australian privacy laws, acts as an impediment to global expansion. There is often a steep learning curve when growing businesses start actively engaging with consumers in the EU and existing technology, system architecture and support models are not well adapted for achieving compliance with EU privacy regulations. This is a hidden cost of Australia being out of step with a number of our major trading partners.

On 29 September 2022, following the Optus data breach, the Australian Information Commissioner, Angelene Falk, said the current review of the Australian Privacy Act presents the opportunity to provide stronger deterrence to penalise breaches involving personal information. Commissioner Falk said:

“The regulatory framework needs to shift the dial to place more responsibility on organisations who are the custodians of Australians’ data, to prevent and remediate harm to individuals caused through the handling of their personal information,”

“Australians need to have the trust and confidence that there is an appropriate regime that incentivises organisations to proactively protect personal information.”

The Australian Attorney General, Mark Dreyfus, stated on 29 September 2022, that in addition to completing a review of Australia’s privacy laws, the Albanese government would look to legislate “even more urgent reforms”^[8].

Attorney General Dreyfus further commented:

“For too long we have had companies solely looking at data as an asset they can use commercially,”

“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians. It’s not to be misused, it absolutely has to be protected. And if the Privacy Act is not getting us those outcomes, then we need to look at reforms to the Privacy Act.”

The Albanese government has since followed through with this commitment. On 26 October 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was introduced to parliament^[9]. The Bill proposes to amend the Privacy Act, the Australian Information Commissioner Act 2010 (Cth) and the Australian Communications and Media Authority Act 2005 (Cth) to increase penalties under the Australian Privacy Act, provide the Australian Information Commissioner with greater enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority with greater information sharing powers. In terms of increased penalties, the Bill contains proposed legislation that will increase the maximum penalty for corporations from the current $2.22 million to an amount not exceeding the greater of $50 million, three times the value of the benefit obtained, or, if the court cannot determine the value of the benefit, 30% of the corporation’s adjusted turnover in the relevant period. The Bill is a measure introduced in addition to the Review of the Australian Privacy Act currently being undertaken by the Attorney General’s department that is expected to be completed later this year and will likely include recommendations for further reform.

In a statement made on 22 October 2022, foreshadowing the introduction of the Bill, Attorney General Dreyfus justified its introduction:

“When Australians are asked to hand over their personal data they have a right to expect it will be protected. Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”^[10]

Data breaches are of course unavoidable in the modern digital age. There will always be vulnerabilities to exploit. What a corporation can control is its preparedness and its internal practices ahead of any data breach. Dedicating appropriate budget and board and executive leadership attention to ongoing privacy and security reviews, security risk assessment and rectification measures, is not optional for modern corporations. Being aware of how data is managed and protected throughout the information lifecycle and the legal obligations that apply to it, is crucial. Corporations cannot function without the data they collect, but at the same time as being a key corporate asset, holding this data where it contains personal information can be a major potential source of liability, if not managed appropriately.

Viewing a corporation’s role as a custodian of personal information on behalf of customers, involves a paradigm shift for many Australian corporations, that appear to lag behind (at least), their European competitors. This lag has been contributed to by privacy regulation which is less stringent in Australia than for example in Europe under the General Data Protection Regulation or in California under the Consumer Privacy Act. Global trends are for increased protection of personal information by regulators. When Australian corporations enter lucrative foreign markets, they would be well served if they have already adopted internationally recognised best practices in data handling.