The cyberattack on Optus has spotlighted a legal quirk that means corporations don’t have to tell anyone they’ve been hacked.
A spokesperson for Attorney-General Mark Dreyfus told Crikey the federal government is considering plugging the loophole, which allows organisations that have been hacked to keep it a secret.
“Millions and millions of Australians have been affected by the Optus data hack and are rightly concerned about the loss of their personal information,” the spokesperson said.
“The Albanese government is committed to protecting the personal information of Australians.”
The rules outlining when organisations have to disclose a hack are spelled out in the Notifiable Data Breaches scheme.
Under the scheme, companies are only required to tell the Office of the Australian Information Commissioner (OAIC) and hack victims that a breach has occurred if it’s deemed “eligible”.
But in order for a breach to be eligible, it has to meet certain criteria, including that the targeted organisation “has been unable to prevent the likely risk of serious harm with remedial action”.
The breach must also have involved unauthorised access to personal information, and be likely to result in serious harm to the individuals whose data was accessed, in order to be subject to mandatory reporting.
“There is huge scope for organisational judgment about disclosures … Public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker told Crikey.
The pair have been trying to establish a database of hacks but have found the task almost impossible because there is no central hub of information.
“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues,” they said.
The attorney-general’s spokesperson said Dreyfus would consider “strengthening the Notifiable Data Breaches scheme in response to the Optus incident and as part of the Privacy Act review due to be completed by the end of this year”.
The review of the legislation, which took force in 1988, was initiated by the former government in 2020.
Dreyfus told the National Press Club last week that bringing the act’s review to a conclusion would be one of his goals in his first year as attorney-general.
“We have a very outdated piece of legislation in the Privacy Act,” Dreyfus said, with his office saying the review will inform an “overhaul” of the act next year.
The attorney-general also wants to see stiffer penalties for companies that incorrectly store data than today’s maximum fine, which sits at just above $2 million.
A recent report from the OAIC said 71% of hacks affect fewer than 100 people, meaning most hacks are likely to fly under the radar even though they may have a significant impact on victims.
The massive hack on Optus, which affected millions of customers, has been followed by other high-profile cyber incidents in recent weeks.
They include an attack targeting MyDeal, an online shopping website owned by grocery giant Woolworths Group, which confirmed at the weekend that 2.2 million customers had been affected.
Should the government change the rules around data breach disclosures? Let us know by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
After a 100 point ID verification (when necessary) why should any company be allowed to keep any information apart from name, address and phone. Legislate that Mr Dreyfus! Anything else is just tinkering at the edges.
Why do these companies have to keep all that information, particularly after what they got it for has been verified? And that’s before we ask why they keep it all together in one place. Easier to gather it up to flog off to someone else, I suspect.
Laws on data retention need to be tightened up, and companies punished for not deleting data the moment it is no longer necessary to hold.
All data is hackable. If not today, quite soon. Snail mail and money under the mattress is relatively safe.
Australia has not been serious about data privacy legislation and regulation due to being compromised by catering to media proprietors, LNP, think tanks and related on the right.
Due to reinventing the wheel this and related loopholes, pitfalls, gaps etc. will continue to emerge versus simply replicating EU GDPR (a la UK post Brexit), but is red rag to a bull for ideologues of the right.