A push for stronger privacy and data laws is in full swing after a major data breach at one of Australia's largest telcos left the sensitive data of millions of Australians at risk.
Subscribe now for unlimited access.
or signup to continue reading
Nearly two weeks after Optus first made its cyber incident public knowledge, former and current customers are being told to monitor their personal accounts, change passports and even urgently cancel official documents, such as passports and drivers licences.
The troubled telco last week agreed to front the costs of replacing the passports and licences of its affected customers, after mounting political pressure.
Paying the bill is a fair start, many have agreed, but it's left a lot wondering - what can we actually do about it and how do we stop it from happening again?
What power does the Australian government have?
Home Affairs Minister Clare O'Neil boldly declared over the weekend the previous Coalition government's recently passed cyber security reforms were "absolutely useless" in relation to the Optus incident.
The critical infrastructure amendments, passed by Ms O'Neil's predecessor Karen Andrews last year, force those operating as critical services, such as banks or hospitals, to undertake a holistic assessment of their cyber security capabilities and to develop comprehensive plans in the event of an attack.
They also give the federal government extra powers to intervene when critical services, such as banking or hospitals, are hit by cyber attacks.
Personal data breaches and how to compensate those affected, however, weren't a key focus of the reforms.
"I'm not flagging any specific directions for reform, but I would simply note that we do not have the right laws in this country to manage cyber security, emergency incidents, and this is something that we are going to need to look at," Ms O'Neil said.
The Privacy Act deals with the personal data side of the cyber attack but its champion, the Office of the Information Commissioner, is limited in what it can do without further legislative reform.
READ MORE:
- Harsh privacy penalties essential for strong data protection: David Shoebridge
- Critical technology security crucial amid 'increasing geostrategic uncertainty': Karen Andrews
- Optus hack response 'not going to cut it'
- After years of cyber policy on the fly, we have to take this wake-up call
- Businesses cutting corners made a breach like this inevitable
Under existing laws, the maximum penalty for serious or repeated breaches of privacy by companies is $2.1 million.
The Privacy Commissioner can also accept and sign off on an enforceable undertaking encouraging a company to voluntarily agree to remedy the damage a breach has caused.
Remedies could include delivering an apology or making payments to those affected.
How do Australia's privacy and data laws compare to overseas?
Australia's data privacy and cyber security laws were described by Ms O'Neil as being five years behind the rest of the world, but it also depends where you look.
The European Union is often described as having the toughest in the world and by comparison, Australia is certainly more forgiving.
Under the bloc's data privacy laws, known as the General Data Protection Regulation, companies have 72 hours to inform their customers what data has been breached or face penalties.
Those penalties are capped at a maximum of 20 million Euros ($30.6 million) or 4 per cent of their global revenue.
Across the ditch, New Zealand passed updated data privacy laws at the end of 2020, enforcing mandatory obligations to inform the country's privacy commissioner.
But companies only faced fines of up to $NZ10,000 ($8800) for non-compliance.
In the United States, the issue is complicated by each state having its own laws set up. California set up its rules in the early 2000s forcing companies to inform their customers if their personal information has been compromised and wasn't encrypted.
Under the US state's laws, affected customers can sue a company up to $750 per incident if their non-encrypted and non-redacted personal information was stolen in a data breach as a result of their failure.
Efforts to establish a federal data breach notification system within the US have yet to succeed.
Where to from here?
The severity of the Optus cyber security breach has brought data privacy and compliance to the forefront of the conversation with advocates calling for urgent reforms.
Greens senator David Shoebridge, along with a number of privacy experts, wants to see harsher punishments for offending companies in a move that mirrors more closely the EU model.
He believes the changes will work as a disincentive and force companies to think twice about lax data security.
"We have the private corporate interest of players, like Optus, to retain the data for its marketing and customer retention purposes. We also have the security motive from the likes of the AFP and the federal government," Senator Shoebridge said.
"What's totally missing are the protections for individuals whose data is at risk. We need to make the penalties sufficient to provide an incentive to protect data."
Attorney-General Mark Dreyfus said over the weekend he was looking to reform privacy laws by the end of the year in response to Optus' failure.
"Companies throughout Australia should stop regarding all of this personal data of Australians as an asset for them, they actually should think of it as a liability," Mr Dreyfus said.
It follows the release of an exposure draft late last year for enhancing online privacy.
It would amend laws to include a binding online privacy code and would result in the maximum penalty being raised to $10 million for companies, or 10 per cent of their domestic annual turnover.
It would also give the Information Commissioner additional powers to issue infringement notices for failure to give information.