The OAIC’s Lawsuit Against Optus is a Warning For Australian Corporations to Secure Data

The Office of the Australian Information Commissioner (OAIC) has commenced proceedings against Optus in the Federal Court of Australia. A headline grabbing aspect of these proceedings is that the penalty could range into the trillions – since it could range into the trillions. Each person whose data was breached is alleged to be a separate contravention under the law, meaning the maximum penalty of $2.22 million could be applied to each of the 9.5 million affected individuals.

In this post, we outline the basis of the OAIC’s claim against Optus, explain the separate claim by ACMA briefly, and detail what this means for Australian organisations. 

Background 

In September 2022, Optus experienced a significant cyberattack, leading to the access and theft of personal information belonging to millions of its current and former customers. The personal information exposed in the breach included names, dates of birth, addresses, and contact details like phone numbers and email addresses. The breach also compromised government-related identifiers, such as passport and driver’s license numbers, along with Medicare card details and various forms of armed forces and police identification.

• You can see the OAIC’s LinkedIn announcement here.

Following the breach, the OAIC launched an investigation into Optus’s privacy practices. The investigation was not merely about the breach itself but focused on whether Optus had met its obligations under Australian privacy law. The OAIC sought to determine if the telecommunications giant had taken reasonable steps to protect the personal information in its care from misuse, unauthorised access, or disclosure.

It alleges that Optus did not take reasonable steps to secure the personal information it held. The Commissioner’s case considers Optus’s size, resources, the high volume and sensitive nature of the data it held, and the potential for harm to individuals should that data be compromised. That’s why it has commenced legal proceedings against Optus. 

“The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community,” said Australian Information Commissioner Elizabeth Tydd.

“Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”

• You can read the OAIC’s media release.

Separate ACMA Proceedings

The ACMA (Australian Communications and Media Authority) has taken Optus to Federal Court over the September 2022 data breach. The ACMA alleges Optus failed to protect its customers’ personal information from unauthorized access as required under the Telecommunications (Interception and Access) Act 1979. This is a separate legal action from the one brought by the OAIC.

Key Takeaways for Australian Organisations

When we initially heard about the OAIC’s civil penalty proceedings against Optus for the 2022 breach, the key takeaways we drew were: 

• Risk management must be commensurate with the data held. The OAIC is looking at the size of your organisation, the volume of data, and the potential for harm.
• External-facing systems and third-party providers are key vulnerabilities. The Optus case highlights risks associated with the interaction between public-facing domains and internal databases.
• Compliance is critical to public trust. The AIC stressed that organisations hold personal information “based upon trust,” and they will act when that trust is broken.

With the benefit of additional time to digest what’s been published so far, we also noted these additional takeaways for Australian organisations: 

• Layered security is not optional for large organisations that hold high volumes of data and/or sensitive information. It’s essential to avoid a single point of failure. 
• Proactively monitor and properly resource security monitoring and incident response teams. They should be equipped to promptly detect and address vulnerabilities and breaches, and these preparations should be regularly stress tested. 
• Allocate adequate resources to your privacy and security teams, proportionate to the size of your organisation and the data you collect and store. They should be equipped to stress test plans, regularly review systems and infrastructure, and outsource for expertise or additional hands where required. 

Resources

We’ve previously written about the Optus data breach across multiple posts: 

• Dr Jodie Siganto’s interview covering the human error behind the Optus breach. 
• A case study of what not to do – our look into Optus’ data breach communications.
• A look into the legal privilege proceedings in the Optus class action lawsuit. 
• The Australian Privacy Foundation’s response to the breach.

Subscribe to our bi-monthly newsletter to stay up to date on privacy enforcement actions, and what they mean for Australian organisations. You can unsubscribe at any time.