Optus data breach: Mark Dreyfus and Anthony Albanese indicate substantial reforms

As millions of Australians race to secure their data in the wake of a devastating cyber attack on Optus, three words from a submission arguing against tighter privacy laws have come back to haunt the telco.

Less than two years ago, Optus complained there would be “substantial compliance costs” if changes to how the company stored customer data were made.

While experts agree that may be the case, state and federal governments are now demanding the telco cough up the cost to replace licences and passports stolen in what could be the worst case of data theft the country has ever seen.

The disaster has added fresh urgency to calls for Australia to get on with tightening its Privacy Act – particularly around data retention.

Legal experts are calling for Australia to take a leaf out of the European Union’s “gold standard” privacy laws.

Tony Song from the University of New South Wales said while adopting measures like the EUs General Data Protection Regulation could come at a substantial cost, it was the best way forward.

Under the measures, companies could be fined tens of millions of dollars for failing to maintain consumers’ privacy – as good an incentive as any, he said, to increase compliance and tighten controls.

“If we have those level requirements, the increased fines would be a big incentive for companies to not be just plain sloppy,” Mr Song told NCA NewsWire.

“Ultimately the data breach still could have happened – if a hacker wants to get in, they will get in – but if we had GDPR laws it definitely would have caused Optus to have better systems and better risk management.

“It’s about having better systems in place so you do manage your risks properly.

“If this thing does happen, you‘re actually prepared for it, not scrambling around and trying to figure out what you need and do not need to do.

“You’ll definitely see this sloppy behaviour cease – because of the actual fret overhanging them they’ll face commercial consequences.”

Attorney-General Mark Dreyfus and Prime Minister Anthony Albanese have said they will rush to introduce urgent reforms as soon as possible.

The former government began the process of reviewing the Privacy Act 1988 years ago, and called for submissions from interested and affected parties.

In their own 16-page submission, Optus wrote they did not see “any justification” for wholesale changes to the Act.

“We find that the processes are working reasonably well, and have resulted in good outcomes for consumers and businesses,” they wrote.

Mr Song says the past 10 days have highlighted anything but, and the government’s reforms – which have been worked on in the background for some time and are broadly based on the GDPR – would be welcomed.

But, he noted that enforcing compliance needed to be a priority for the government, saying that even without reforms, Optus was perhaps in breach of the existing provisions under the Privacy Act.

“They seem to have been holding this sensitive data without a real need for it,” he said.

“The law says you can only store data as necessary for the purposes of use you collected it for. That’s in the privacy policies we as consumers agree to.

“Why did they need to store – to keep this sensitive data even after, say a customer has left and switched provider.

“We don’t know the reason or argument yet – but if they did have a reason to store it even after using it, they should have just encrypted it.

“Because now everyone’s address, drivers licence, passport – these serious points of data – are out there, and can lead to identity theft.”

Speaking more broadly on data and privacy reforms, Landers partner Lisa Fitzgerald said there were three areas of most pressing concern.

“Over-collection of personal and sensitive information beyond when it is needed; ensuring deletion of personal information when it is no longer needed for the original purpose of collection, or if requested by the person; compensation for affected individuals who are impacted by serious data breaches,” she told NCA NewsWire.

“With most businesses now having an online dimension and/or dependency on technology to operate, and with personal information being fundamental to that process, privacy reform must be focussed on this context. This is not just a digital giants issue.

“The reality is many businesses now operate in multi-cloud environments with data duplicated across clouds and various platforms. A key consideration is how data risk can be reasonably managed in this increasingly complex environment.”

A spokesperson for Mr Dreyfus said the department was currently making its way through the submissions and would produce a final report recommending reforms to the Privacy Act.

“That report is due to be completed later this year, and after it is considered by the government, it will be made public,” the spokesperson said.

Mr Dreyfus said the government was looking at “urgent reforms” that could be made straight away to the Act to increase the safeguards already there.

He added that he was going to try and get reforms into the House before the end of the year.

“What we’ve had is a Privacy Act that says that care has to be taken with Australians’ privacy and Australians’ private data, but has not kept pace with the digital age. It has not kept pace with technological improvements and the extinction of the ability of companies to keep absolutely huge amounts of data,” he said.

“The more data that’s kept, the bigger the problem there is about keeping it safe.”

One such area the government is being asked to consider in its overhaul is that of the right to erasure.

Under the EU’s GDPR, the “right to be forgotten” allows for the deletion of all personal data at the request of the data subject, if for example the data is no longer necessary for the intended purpose, or an individual withdraws their consent.

It’s an extreme example of individuals’ taking their data security and privacy into their own hands, and one that some experts would like to see enjoyed by Australians.

Optus is seemingly against the right to be forgotten, however, writing in their 2020 submission there were “significant technical hurdles” and costs to implement it effectively in most sectors of the economy, and that more research needed to be conducted.

Any implementation, they wrote, would need to consider key exemptions or provisions to meet expectations.

“For example, the right to erasure should be limited to when personal information is no longer required,” they wrote.

“It is worth noting that the compliance costs are likely to be significant for large companies as these organisations generally have personal information flowing through a magnitude of different legacy databases and systems which perform different functions for the organisations.”

Mr Song said the reforms Australia was already considering prior to the Optus hack included more scope for the right to erasure, which would again mirror the EU’s “gold standard” practice.

But, it would only be effective should Australians take more responsibility for their own privacy. Mr Song said the question should be pushed back as to why Optus was retaining the data for well after it was needed.

Of the nearly 10 million Australians who had their data accessed – many of whom are no longer with the telco – some 2.8 million have had their identification documents, like their passport, drivers licence or Medicare numbers, leaked.

Assistant Treasurer Stephen Jones has warned the data breach will have a “long tail of impact”.

“We know that fraudsters, we know that scammers, are already onto it – whether they’ve got the Optus data or not, they’re attempting to impersonate Optus, they’re attempting to impersonate licence providers, they’re attempting to impersonate government and government agencies,” he warned.

“It’s up to Optus to ensure any cost arising out of this is compensated by Optus and not the government.”

The Opposition’s cyber security spokesperson, James Paterson, said it was clear that there needed to be an urgent look at the amount and the detail of the data that companies are storing.

“And whether or not it’s actually necessary, from a legal perspective or business perspective, for them to continue to do that,” he told NCA NewsWire.

“Data is very powerful, in both a good and a bad way, it’s a dangerous thing to store on such a mass-scale because it’s of great interest to criminals, but also foreign state actors as well.

“I think the starting point is companies should have a culture of holding the minimum amount of data required to meet their legal requirements and to suit their business purposes. They shouldn’t be storing any additional data that they don’t need.”

Originally published as Australians race to secure their data in the wake of a cyber attack

Read original article here

Denial of responsibility! Bulletin Reporter is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] bulletinreporter.com . The content will be deleted within 24 hours.

Leave a comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More