The September 2022 Optus data breach served as a wake-up call for the Australian government and businesses alike, driving rapid reforms to the Privacy Act 1988 (Cth) (Privacy Act). Since then, remarkably, there have been a spate of similar breaches involving major Australian corporations. In this article, we look at these recent breaches, and the amendments to privacy legislation that mean businesses must take steps to take data protection seriously.
Last month we saw the impact of the Optus Data Breach, which involved sensitive personal data of some 9.7m customers being compromised. Recent media articles have suggested that Optus has already lost up to 10% of its customer base as a direct result, and with more than half of its customer base pondering whether to churn away.[1]
While this was hardly the first instance of a major data breach occurring for a major trusted corporate, it was the second largest in Australia to date. Further breaches and forthcoming changes to the law mean that companies must take data protection seriously.
The Optus breach has been swiftly followed by a number of major Australian companies being hacked, including Medibank, wine dealer Vinofomo and MyDeal (a subsidiary of supermarket giant Woolworths).
Medibank’s October data breach involved sensitive personal information, including all of its 3.9 million customers. The Medibank leak is estimated by some sources to cost the company between $25 and $35 million in investigating and rectifying the breach (excluding customer compensation and legal costs).[2] Due to the negative PR stigma, Medibank has delayed their premium increase until January 2023, leaking away a further $62 million.[3]
Shortly after the Medibank breach, Vinomofo experienced a cybersecurity incident in which the names, dates of birth, addresses, emails and phone numbers of its 500,000 customers were potentially leaked.
MyDeal’s breach involved 2.2 million customer records, and while no sensitive data was accessed in this case, still raised major concerns for consumers.
Currently, serious infringements of the Privacy Act 1988 (Cth) attract a $2.2 million fine. In the wake of these data breaches and associated public concern, on 22 October 2022, Attorney-General Mark Dreyfus announced the tabling of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Australian Bill). The Australian Bill is set to make serious changes to Australia’s privacy law, including the increase of fines for repeated or serious privacy breaches from the current $2.2 million to whichever is the greater of:
The new test brings the Australian position closer to the GDPR of the European Union (EU), the high watermark globally since 2016, which imposes a maximum fine of the greater of:
The Australian Bill was introduced in conjunction with the comprehensive review of the Privacy Act that the Attorney-General’s department had commenced in December 2019. In response to the Optus breach, this review has been fast-tracked and is expected to be finalised by the end of this year with further recommendations for reform.
Additionally, the Office of the Australian Information Commissioner (OAIC), who is responsible for data protection across the nation, will be given broader powers to resolve privacy breaches, including under changes to the Notifiable Data Breaches Scheme (NDBS). These powers include the ability to oversee compliance assessments where a suspected or actual breach has occurred, compel companies to conduct external reviews of their internal procedures, and require companies to publish notices about specific privacy breaches to impacted individuals.
The changes ushered in by the Australian Bill will further encourage businesses to be on top of their data protection, to avoid significant liability, in a worst case scenario, of $50 million or more. A key element in any reasonable corporate privacy strategy is to develop and adopt an up-to-date Data Breach Response Plan (DBRP) that complies with the NDBS.
The DBRP is a framework set by the Office of the Australian Information Commissioner and is essential for any business or entity that holds personal or sensitive data. The plan should outline the steps that an entity will take to actively prevent a breach and how they can accurately and effectively respond to a breach as it occurs. For further discussion of what a plan should contain, see a breakdown of a DBRP in our previous Optus article here.
Data security concerns have been at the forefront of law and technology debates for several years. From July to December 2021, the Australian data privacy regulator received 464 data breach notifications.[4] Among the most targeted industries were health care, finance, and legal services, meaning that any industry could be the subject of an attack.
Given the changes to data and privacy legislation that will soon be in effect, now is the time for companies to review and update their DBRP. Responsibility for this falls to the board and senior management of the Company.
The recent data security attacks of major corporates that have been entrusted with the valuable personal information of Australians have put consumers, regulators and the companies themselves on high alert. In an increasingly web 3.0 world where good, clean data is ”king” or ”the new oil”, businesses will have to be increasingly vigilant in preparing for attacks, and protecting themselves from direct fines and other economic liability, as well as reputational harm.
If you haven’t already, now is the time to break the glass on your Data Breach Response Plan.
If you require advice in relation to data privacy, or any assistance in relation to preparing or implementing Data Breach Response Plans, please contact us below.
+++
[1] Sarah Sharples, ’10 per cent of Optus customers leave after cyberattack’ News.com.au (31 October 2022) <https://www.news.com.au/finance/business/other-industries/10-per-cent-of-optus-customers-leave-after-cyberattack/news-story/431a0661233a698eb3a6d2bb7c68562c>.
[2] Josh Taylor ‘Medibank confirms hacker had access to data of all 3.9 million customers’ The Guardian (26 October 2022) <https://amp.theguardian.com/technology/2022/oct/26/medibank-confirms-all-39-million-customers-had-data-accessed-in-hack>.
[3] ‘Medibank cybercrime, business and FY23 outlook update: ASX Release’ Medibank (26 October 2022) < https://www.medibank.com.au/livebetter/newsroom/post/medibank-cybercrime-business-and-fy23-outlook-update>.
[4] ‘Notifiable Data Breaches Report: July–December 2021 ‘ Office Of the Australian Information Commissioner (22 February 2022) <https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021>.
