Why Singtel Optus data breach could bring knee-jerk changes to Australian privacy law

Singtel Optus’s mass data breach last month saw the data of almost 10 million Australians put at risk — something the public may never have found out about, had it not been for a little-known national legislative requirement that codifies a company’s response to such an emergency.

From a legislative perspective, Australia’s 2018 Notifiable Data Breach rules, or NDB, are the only national mechanism that guarantees transparency in the event of a data breach. It was thanks to the NDB that Optus customers were alerted to the fact that their names, dates of birth, phone numbers, email addresses and — for a subset of customers — addresses as well as ID document numbers had fallen into the wrong hands.

That’s not to say that Optus’s obligations under the NDB have spared the company from strong criticism over its handling of the breach. The Australian government has lamented a lack of clarity in the telecommunications giant’s communications and has pointed to the staggered way in which information relating to the data breach has been released as evidence of an inadequate response.

And, indeed, while the Singaporean-owned Optus was relatively quick to inform the public that some personal data had been compromised, it was only a full week after the breach had been announced that the company admitted that 14,900 valid ID numbers for Medicare, Australia's universal health-insurance system, had been part of the mass data breach.

But whatever the merits of the NDB, the rules don’t establish standards for storing data, nor can they prevent a breach or ensure a faster response. The same can be said for Australian critical-infrastructure legislation, which obliges entities holding “critical assets” to report cyber incidents — it’s unclear at this stage whether this type of cyber attack would have triggered the critical-assets reporting requirements.

This realization appears to have jolted Australian lawmakers out of their cyber-security complacency, pointing to the fact that a breach of this scale — believed to have been the largest in Australian history — has to be tackled on multiple fronts, starting with comprehensive, up-to-date privacy legislation. The data breach has got politicians agitated enough to say that they are now ready to fast-track parts of what has been a sluggish review of the 1988 Privacy Act before the end of the year.

Yet even this flurry of legislative activity is proving controversial. According to some observers, Australia is now facing the prospect that part of its privacy law will soon be in the 21st Century, with the rest lagging behind, somewhere in the 1980s.

This is a far cry from the methodical, comprehensive revamp of the legislation that had been planned by the Australian parliament almost two years ago, to the day. And while Australians may welcome a quick fix to make their data more secure, the prospect of band-aid legislation presents its own problems.

The breach

Optus has yet to confirm how the breach happened, announcing recently that accountancy firm Deloitte would investigate the company’s security systems, controls and processes. However, local media reports have suggested the breach was the result of an online Application Programming Interface, or API, that didn’t require authentication to access customer data.

Since the breach was announced, Optus customers have received text messages and emails from the company, with information on what personal data has been compromised. For those most affected by the breach, Optus has provided the option to take up a fraud-protection subscription with Equifax, a US-based consumer credit-reporting agency.

Under the arguably fuzzy provisions of the NDB, Optus appears to have ticked most boxes. But the crisis immediately sparked a discussion about the Privacy Act’s limitations.

The NDB guidelines of the Office of the Australian Information Commissioner, or OAIC, say that an entity’s notification to the regulator “must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.”

But the guidelines don’t say that all the information must be shown up front — and that’s where the requirements get confusing.

Melissa Fai, a partner at Sydney-based law firm Gilbert + Tobin, told MLex that while Optus could be at risk of breaching the requirements, the complexity of the NDB could be in the telecommunications company’s favor.

“If they were aware that there were reasonable grounds to believe the attack constituted an eligible data breach from the outset, strictly speaking, there is not really the luxury of the 30-day assessment period and the obligation to notify is as soon as practicable,” she said.

“What makes the obligation problematic is that the notification also has to take a certain form and it is often not unreasonable for the process to develop the details required by the form to take some time,” Fai added.

Data breaches are eligible for notification if an attack is likely to cause serious harm. Companies have a 30-day window from the point at which they suspect a serious breach to confirm or dispel their suspicions and notify individuals. Because Optus hasn’t provided a clear understanding of exactly when the breach occurred, it’s impossible to know whether the company has adhered to the timeframe laid out by the NDB.

No silver bullet

Days after the breach, Australian Attorney General Mark Dreyfus, who is charged with overseeing the ongoing review of the Privacy Act, said the update to the legislation was now “a matter of urgency”.

But Dreyfus wasn’t promising to complete the review. Instead, he pointed to increasing penalties — something that has been under discussion since last year — and boosting protections for personal information. The minister also mentioned strengthening the NDB.

Australian privacy principles that could be up for rapid review include “the retention principle,” which dictates that companies or organizations must not retain information longer than for the original purpose for which it was obtained — something that goes to the heart of the Optus data breach. If documents and data were obtained to set up new customers and confirm their identity, should they have been retained after confirmation was secured?

The second principle relates to “data minimization” — permitting the collection of information deemed reasonably necessary for a company’s functions.

Both principles leave a lot of room for debate.

“If there was more prescription in the [Australian Privacy Principles] and stronger enforcement of them, or the OAIC had more budget and resources to actually carry out meaningful enforcement, companies may be more vigilant with their cyber resilience,” Fai told MLex.

The OAIC’s lack of resources has long been a source of contention for the regulator.

“A lot of people might disagree, but I … don’t necessarily see that the overwhelming cause of this attack is what some people may think of as deficiencies in the Privacy Act,” Fai said.

“It is in part a product of the current world in which we live — that is, the types of cyberattacks and risks that every company is dealing with on a day-to-day basis. Which is not to say it is not preventable,” she said. “Of course, a likely result of stronger regulation will be that companies invest more money in their cyber systems and security, but that is not a silver bullet.”

Legislative confusion

Any piecemeal approach to legislation changes could leave Australian lawmakers at risk of sowing regulatory confusion rather than better protecting consumer data — particularly with the NDB and the critical-infrastructure laws playing a part in companies’ response to cybersecurity attacks.

Under existing rules, telecom operators are also governed by separate security laws. Just last month, Australia’s center-right opposition tabled a bill titled the “Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022.” If passed, the legislation would introduce criminal offenses for cyber attackers and would also target extortion using ransomware; the bill includes maximum prison terms ranging from five to 25 years.

Before being voted into government in May, the center-left Australian Labor Party had itself put forward a “Ransomware Payments Bill” that would have forced companies suffering ransom attacks to notify the Australian Cyber Security Centre.

“In terms of the overlapping regulation for some entities in this area, it would certainly make sense to have one source of truth, so to say,” Fai said in an interview “That is, a consolidated and comprehensive legislation that covers all the obligations of an entity and, equally, the related rights of individuals, rather than a myriad layering of laws which we currently have.”

“But reform and regulation in this space has been developed and implemented on an almost reactive and ad hoc basis to the growing and general cyber threat.”

Since the NDB was introduced, regulators have planned to build, or built, other systems dealing with cyber risks.

“That is because regulators are trying to capture attacks that don’t just involve personal information,” Fai said. “There is obviously a range of critical data and information that an entity may hold which may not include personal information and which may be vulnerable to attack.”

“Government and regulators are trying to cover all bases in different ways. It is getting difficult to understand and assess potentially overlapping regimes,” she said.

Yet reservations by observers may ultimately be outweighed by the concerns of cyber-breach victims — such as the 9.8 million Australian residents affected by the Optus breach.

It’s safe to assume that those who are today facing the prospect of having to renew licenses, passports and medical documents would prefer an immediate but unseemly patchwork of approaches than a drawn-out, in-depth review of privacy legislation — something unlikely to be lost on Australian politicians.