In September 2022, millions of Australian Optus customers had their data hacked, causing widespread concerns of identity fraud. Optus, Australia’s second biggest telecommunications company, was left red-faced. In this article, we take a look at the legal obligations that Australian businesses have to prevent data breaches, and how companies can and should take active steps to minimise the risks to their customers.
In the era of Web 3.0, organisations are increasingly seeking to aggregate deep digital databases of personal information about consumers to assist them to achieve their commercial objectives. At the same time, there is mass consumption of media on ubiquitous smartphones, widespread interconnection via the internet and largely free access to an array of increasingly powerful digital applications. As a result, data security fears have become a hot button issue.
The recent Optus data breach impacted 9.7 million customers, compromising their personal data including names, dates of birth, phone numbers, email addresses, home addresses, Medicare cards, licence & passport numbers. The breach serves as a timely reminder for businesses about the importance of customer data security and the need for a process to mitigate risk if a breach does occur.
Given that even a small amount of personal information can be used to steal a person’s identity, the Optus data breach has caused a significant risk of serious harm to its customers. Optus has been left embarrassed by the incident, as the breach has caused considerable reputational damage and a loss of public trust. Two key Australian regulators, the Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC), have announced that they will commence investigations into the circumstances that led to Optus’ data breach, which will likely intensify the scrutiny on the company and escalate the existing brand damage.
Further, the incident may cause a loss of faith in Optus and result in a leakage of customers to other providers, especially when users can easily port their mobile number from one mobile network to another. Analysts have described the leak as a ‘gift to Telstra’, and although it is too early to tell what the full commercial implications of the breach may be, some analysts predict that Optus may lose up to 115,000 customers by the end of the year.[1] The brand damage incurred by Optus also has implications for its shareholders; the share price of Singtel, which owns Optus, fell by 2% after the hack was disclosed.[2]
Ironically, it is both customers and the organisation entrusted with the personal data, that can suffer serious harm if a breach occurs.
A data breach occurs either by a targeted external attack or from unintentional lapses in internal security that allow malware or ransomware to impact the relevant system in which data resides or through which it can be accessed.
The breach leaves the security of the data compromised, and it can be at risk of being disclosed to the unauthorised recipient – or “hacker”. An unauthorised person or entity may be able to use the personal information to conduct “identity theft”, where they are able to impersonate the individual’s identity to gain access to banking accounts and other commercially or reputationally valuable assets. For more information on how to mitigate the risks of hacks, see our article on protecting your business from cyber-attacks in a COVID-19 world here.
Data breaches can have severe impacts for both the company whose security has been breached and its customers; customers may be exposed to financial and reputational harm, and companies may incur financial penalties or regulatory action if they are found to have not complied with the legislative framework.
Under the Australian Privacy Principles (APPs) of the Privacy Act 1988 (Cth), entities are required to secure the information they hold from misuse, interference and/or unauthorised access from a third party.
A failure to comply with the Privacy Act can result in a civil penalty of up to $2.2 million for businesses. However, the newly tabled Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Draft Bill) could see this amount go up to $10 million if adopted by the Commonwealth Government.
The notifiable data breaches scheme (NDBS) was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The NDBS applied from February 2018 to all organisations and agencies with existing personal information security obligations under the Privacy Act. It obliges these entities to investigate a data breach and form a view as to whether the breach is likely to cause serious harm. If so, the organisation must notify:
‘Serious harm’ is not specifically defined in the Privacy Act. However, the OAIC has made it clear that in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.[3] The mandatory notification must include recommendations about the steps individuals should take in response to the data breach. To meet their obligations under the NDBS, companies are advised to prepare a Data Breach Response Plan, to ensure they have a solid action plan in place to prevent breaches, and act promptly to address the breach should it occur.
The purpose of the mandatory notification regime is not simply to punish those who do not comply; rather, it is to protect consumers and defend against potential harm resulting from a data breach. As highlighted in the Information Commissioner’s special report:
“We … encourage entities to move beyond compliance to effectively support consumers. While the law obliges entities regulated under the Privacy Act to provide transparent and useful information to consumers, it is those entities who focus on the consumer and navigate beyond compliance to support affected individuals to take steps to minimise or prevent harm in a meaningful way who will differentiate themselves and maintain trust over time.”
Data breaches are not uncommon. In May 2019 up to 139 million users of the graphic design platform Canva had their email addresses, usernames and passwords compromised, whilst the largest recorded data breach involved 3 billion accounts attached to the search engine Yahoo!, compromised over a four year period from 2013 – 2016. Another example we have previously explored is the Ashley Madison hack in 2015, which compromised the data of over 39 million members. In that case, the data revealed the identities of people seeking extra-marital affairs.
The commercial implications of such breaches are significant for companies. When Cathay Pacific Airlines’ computer system was accessed and the personal information of 9.4m customers was compromised, their share prices fell almost 7%, which equated to $200 million in market value.
Companies may not be able to avoid the risk of a data breach entirely. However, there are some clear processes that organisations can put in place to minimise the risk of it occurring, and then the harm if it does occur. The OAIC’s Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) sets out processes that can mitigate the risks of a breach and allow for a faster response if one does occur.
As discussed above, under the NDBS, any organisation or agency covered by the Privacy Act must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. To ensure these obligations are met, each company should implement an appropriate Data Breach Response Plan that looks to both 1) prevent data breaches and 2) respond to a breach should it occur. Edwards + Co Legal has worked with many clients to develop and implement such schemes.
There are two areas that a company should look to in preparing for and preventing a data breach. These fall into the broad categories of:
Broadly speaking, the OAIC plan to respond to a breach should establish a step-by-step process the company can follow. Having a clear plan will provide guidance during the crisis and ensure a uniform response by the company. Though open to change on a case-by-case basis, the plan should generally follow 5 key steps.
Step 1: Identifying the breach, including keeping a record of key details such as the time and date of discovery, the data involved and the cause and extent of the breach if it is known.
Step 2: Should involve a containment strategy, including recovery of compromised data and the restriction of further spread to minimise the impact of the breach.
Step 3: This involves an assessment of the risks to those involved in the breach and the creation of a formal record by the company’s Chief Privacy Officer. This step should also be the time where further action is considered by the company.
Step 4: Determination of whether a breach notification should be issued and whether the Data Breach Response Team should become involved in the matter.
Step 5: This final step should be used as a review and earning exercise for the company to take actionable steps to prevent a future breach.
Although the digital revolution is a time of exciting possibilities for modern businesses and individuals, it also means that companies will need to be proactive in avoiding and responding to data breaches. The Optus breach has already caused – and will continue to cause – serious harm to Optus’ customers and its corporate reputation. It is a warning to companies who hold data on their customers to be sure to have an up-to-date, detailed Data Breach Response Plan in line with the OAIC recommendations. This will ensure a uniform and targeted response to any breach.
If you require advice in relation to data privacy, and how to protect your business from serious harm caused by data breaches, please contact us below.
+++
[1] ‘A gift to Telstra’: Cyberattack to hit Optus’ Sydney Morning Herald (30 September 2022) <https://www.smh.com.au/business/companies/a-gift-to-telstra-cyberattack-to-hit-optus-reputation-20220928-p5blmq.html>; ‘The Optus hack will cost millions (and not just in payouts)’ Australian Financial Review (23 September 2022) <https://www.afr.com/chanticleer/the-optus-hack-will-cost-millions-and-not-just-in-payouts-20220923-p5bkkm>.
[2] ‘A gift to Telstra’: Cyberattack to hit Optus’ Sydney Morning Herald (30 September 2022) <https://www.smh.com.au/business/companies/a-gift-to-telstra-cyberattack-to-hit-optus-reputation-20220928-p5blmq.html>.
[3] FOOTNOTE: See Part 4 of OAIC Guidance on the NDBS at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme#:~:text=’Serious%20harm’%20is%20not%20defined,%2C%20financial%2C%20or%20reputational%20harm
