Optus Data Breach: Time for change?
The Optus data breach has exposed how harmful a cyber incident can be. Many are now calling for changes. But it’s important that we get it right …
Privacy 108’s Dr Jodie Siganto is the head of the Australian Privacy Foundation’s Telecommunications and Internet Committee, and has helped draft the APF’s Call for Action. Released yesterday, the Call for Action identifies 6 steps the government should take now to try and prevent similar incidents and reduce the consequences in the future.
The Australian Privacy Foundation calls for the following:
- An immediate review of statutory data retention obligations in Australia, particularly those applicable to telecommunications providers, to confirm the necessity and proportionality of those requirements;
- A minimum set of security controls be prescribed for organisations with large holdings of personal information (like that held by Optus) – as a stand-alone exercise or as part of the development of risk management plans under Australia’s critical infrastructure laws;
- Appropriate reforms to the Privacy Act in the current Privacy Act Review including the introduction of a data minimisation principle, a right to erasure, and a right to sue for damages for breach of the Privacy Act so that individuals in Australia who suffer a data breach can individually and collectively advance their claims in court;
- Strengthening Australia’s mandatory data breach notification scheme to include immediate notification to people affected wherever there is a critical data breach and the provision of clear instructions on steps to take to mitigate potential harms. Organisations need to have the systems or processes in place to enable it to meet these requirements;
- Extended powers for the Australian Information Commissioner and Privacy Commissioner and increased penalties for breaches as demanded also by the Commissioner;
- Commitment to ensuring that the Office of the Australian Information Commissioner has the resources needed to perform its statutory oversight functions rigorously and effectively.
The Optus data breach points to the need for extra-vigilant cyber security by telecommunication service providers in the face of increasing risks of hacking. But it also raises broader policy questions about the need for Australian entities to collect and hold large amounts of personal data including identity data, the length of mandatory data retention, and the case for giving Australians a right to have their data erased and a right to claim damages under the Act for data breach.
The time for complacency is over. We know the government is working on a response to the Optus data breach. We hope that that response includes the above, to ensure that Australians can regain the trust and confidence in our biggest entities and the government regulators, so vital to our national well being and prosperity.
October 10, 2022