Australia: Implications of and responses to data breaches – lessons learnt
A string of major data breaches by Australian companies have resulted in far-reaching implications for both Australian and international businesses and consumers. In parallel, the introduction of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) ('the Privacy Bill') signals that the data security landscape in Australia is changing and that enhanced data handling and cybersecurity practices are imperative. Katherine Sainty, Aisling Hamilton, and Julia Colubriale, from Sainty Law, outline the implications of data breaches, regulatory responses, including changes to the Privacy Act 1988 (Cth) No. 119 1988 (as amended) ('the Privacy Act'), and key lessons for businesses going forward.
A ripple of implications
Customers involved in breaches are vulnerable to identity theft, fraud, interference, and scams. There have been two reported attempts by hackers to extort money from the companies that were the subject of large data breaches. Both companies have rejected the hacker requests, which has resulted in the publication of customer's personal data on the internet.
The Australian Competition and Consumer Commission's ('ACCC') Scamwatch1 has raised alerts for consumers to be cautious about fraudulent emails asking people to enter their details to apply for replacement documents and compensation. It has also reported fake phishing texts circulating as a result of the personal information being leaked.
Proposed changes to the law
In response to several high-profile breaches, the Privacy Bill was introduced into Parliament on 26 October 2022. The Privacy Bill intends to amend the Privacy Act by:
- Increasing the penalties for serious or repeat privacy breaches by an organisation. The maximum penalty is increased from AUD 2.2 million (approx. €1.4 million) to the greater of:
- AUD 50 million (approx. €32 million);
- 30% of the company's turnover; or
- three times the value of the benefit the company obtains from the misuse of the personal information.
- Expanding the scope of organisations covered by the Privacy Act as it will apply extra-territorially to qualifying foreign organisations.
- Granting the Office of the Australian Information Commissioner ('OAIC') new powers to:
- seek information from organisations and assess data breach compliance;
- share information with other regulators to help further its functions under the Privacy Act; and
- issue infringement notices if an organisation does not comply with an OAIC request.
The Attorney-General also completed its Privacy Act 1988 Review2 in January 2022. It is anticipated that reforms considered in the review will be escalated to Parliament following these major data breaches.
Other regulatory responses to the breaches
The OAIC's response
The OAIC has launched an investigation into the large data breach involving a telecommunications provider. The OAIC will investigate whether the company 'took reasonable steps to protect personal information they held from misuse, interference, loss, unauthorised access, modification, or disclosure, and whether the information collected and retained was necessary to carry out their business'.
The OAIC will also work with the Australian Communications and Media Authority ('ACMA') who launched their own investigation. The ACMA's investigation will look into the company's data handling practices and whether the company acted consistently with its obligations as a licensed telecommunications firm.
The OAIC is also making preliminary inquiries with a private healthcare provider involved in a data breach to ensure it complied with the Notifiable Data Breach Scheme.
The Treasury and Ministry for Communications released a statement3 announcing that amendments will be made to the Telecommunications Regulations 2021 in response to the data breach.
These changes are aimed at improving coordination between financial institutions, the Commonwealth, and States and Territories, 'to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities'. These await approval from the Governor-General.
Law enforcement involvement
For the breach involving the telecommunications provider, both domestic and overseas law enforcement agencies have been involved in 'Operation Hurricane' to try to uncover the identity of the hacker who caused the breach. There is a concurrent operation called 'Operation Guardian' launched by the Australian Federal Police who are working to protect the customers that are at a high risk of identity theft and other fraudulent activity. As the breaches increase in size and scale, 'Operation Guardian' is being expanded.
Lessons for your business
It is time to look introspectively and assess what kind of culture and attitude your organisation has to privacy. The Government's new legislation has imposed stronger penalties meaning that you need to be proactive in your approach to privacy. The significantly higher penalties demonstrate that the Government is ready to crack down on complacency and poor data practices.
Your business needs to review its policies and procedures to ensure they comply with the Privacy Act to avoid the risk of significant fines. It is important to also be aware that privacy reforms are expected, and this means that older privacy materials and practices may no longer be fit for purpose. For foreign businesses that operate in Australia or hold Australian personal information, it is crucial to determine whether you are caught by the Privacy Act, and if you are, to ensure that your practices comply with the Privacy Act.
A key takeaway from these data breaches is that organisations are holding on to more information than they reasonably need for their business functions.
Businesses continuing to work from home are easier targets for cybersecurity breaches. It is important to have robust cybersecurity programs that protect your work devices from hacking, data breaches, phishing, and ransomware. This includes understanding who your cloud provider is, where your client personal information is held, and what third parties can access and use it.
Here are a few things your business can do to prepare for the changes:
- Review personal information collecting and handling practices:
- take inventory of what personal information you have collected, whether it is sensitive information, and why you need it for your business operations;
- determine how long your organisation should hold onto personal information that is collected in connection with your business practices;
- have appropriate data deletion processes in place for information you no longer require;
- assess the data handling practices of third parties that you share personal information with to ensure that customer personal information is adequately protected; and
- stay alert to changes to the Privacy Act.
- Review existing cybersecurity protections:
- take inventory of what software and assets you need to protect and implement appropriate software and hardware solutions and protocols, such as two factor authentication, that will protect your organisation; and
- determine if your business has appropriate procedures for reporting a data breach.
- If your business allows working from home, consider what additional steps you need to take to prevent cyber risks.
1. See: https://www.scamwatch.gov.au/
2. See: https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988
3. See: https://ministers.treasury.gov.au/ministers/jim-chalmers-2022/media-releases/changes-protect-consumers-following-optus-data-breach