Optus hack exposes Australia's 'lagging' cyber law framework

Hack on major telco firm raises prospect of harsher penalties for businesses

Optus hack exposes Australia's 'lagging' cyber law framework

On 22 September, major telco company Optus announced that it was the victim of a massive cyberattack that compromised the personal information of both current and former customers. The news made waves across the country, garnering significant media attention as government bodies got involved and Australia’s privacy laws were questioned.

According to ACCC chair Gina Cass-Gottlieb, the data breach has already brought scammers looking to capitalise on those affected by the hack out of the woodwork. The commission stated that approximately 600 spam reports have been filed since the hack was made public.

ABC News reported that in addition to the investigation being conducted by the Australian Federal Police, the Office of the Australian Information Commissioner (OAIC) will also be examining Optus’ handling of customer data. The OAIC will be collaborating with the Australian Communications and Media Authority on the probe.

“Given the scrutiny this incident has received by the media and key government figures, this incident will almost certainly put cyber security and cyber law back on the agenda in the short term and hopefully fast track the progress of proposed cyber law reforms in Australia,” Nitesh Patel, head of cyber at Gilchrist Connell, told Australasian Lawyer.

“I think, or at least hope, the most significant impact this incident will have on cyber law is to reinforce the need to prioritise its development. Australia’s framework lags behind in many respects and we need to come up to speed.”

The cyberattack has thrust into the spotlight what Patel said are “multiple reforms of the Privacy Act that have been on the radar for some time but has not yet made it into legislation.”

“A key proposal is the limited ability for individuals to bring an action against businesses who interfere with their privacy. Other reforms of significance include a significant increase in penalties for serious privacy breaches, removing business exemptions so that more businesses are required to comply with the Privacy Act, expanding the definition of personal information, adding additional rights for individuals (including a right of erasure) and increasing the powers available to the regulator,” Patel said, pointing out that the majority of the amendments “are already commonplace in other parts of the world.”

He added that ransomware notification legislation “has been on the agenda since last year in various forms.”

“A well-considered obligation that requires businesses to notify a suitably funded government body of a cyberattack (which should not be limited to just ransomware) could assist to combat cyberattacks,” Patel said. “There has also been a push to impose minimum security standards such as the ACSC’s Essential Eight or provide further guidance around existing obligations to uplift cyber security postures.”

He also highlighted draft legislation that outlined new cybercrime offences with increased penalties as well as amendments that enable enforcement agencies to “investigate and prosecute criminal offences where perpetrators do their work outside of Australia but impact Australian individuals and businesses.”

Legal push to make cybersecurity a priority

While laws are not a foolproof plan against cyberattacks, they can limit such breaches by driving organisations to prioritise cybersecurity, Alison Cripps, practical guidance legal writer | cybersecurity, data protection and privacy at LexisNexis Australia, told Australasian Lawyer.

She outlined three factors that enable laws to effectively mitigate cyber risk:

  • the legislation must impose obligations that, when implemented, will mitigate security risks (and legislation must then adapt to the changing threats imposed by cyber criminals - as new mechanisms for cybercrime evolve, so too should legislation)
  • regulators must effectively enforce the legislation (including that penalties are applied, even where there is no cyber event) (I am not in a position to comment on whether regulators are effectively enforcing existing legislation)
  • the consequences of breaching the legislation must be significant, in order to incentivise organisations to comply with the legislation. Often these consequences are financial – but directors can also be personally liable for cyber events under their AFSL licensing obligations or licences to operate a business can be tied to compliance

“The proposed amendments to the SOCI Act will also see increased obligations relating to data management imposed on critical infrastructure organisations such as, water, electricity, sewage, telecommunications assets,” she added.

Cripps noted that Australia’s existing legislative regime is “very similar” to GDPR with regard to data security obligations.

“Currently, the penalty for non-compliance of the data security provisions of the Privacy Act for organisations is around $2.1m. The proposed amendments to the Privacy Act increase the penalties to around $10m per occurrence. This larger penalty regime is closer aligned to the penalties in place in the UK and Europe through GDPR and in China through PIPL. Larger penalties are likely to encourage more organisations to adopt safer data management practices,” she explained.

Nonetheless, Cripps indicated that greater penalties won’t stop cyberattacks by themselves.

“We can see through the many examples of cyber breaches that have occurred in the UK and Europe (where large penalties have existed under GDPR but we still see cyber events), that large penalties alone are not the complete answer to preventing cyber breaches, even in regimes where legislation is effectively enforced by regulators (national bodies or agencies),” she pointed out. “Risks will still remain. Effective strategy requires legislative reform to be coupled with investment in cybersecurity resourcing.”

Patel added that there is “no one-size-fits-all approach” as to how cyberattacks like the Optus hack can be handled from a legislative perspective, but it “simply means we need to progress discussions on the point now.”

“While investigations into the Optus incident are ongoing and we do not yet know how this incident occurred, it reinforces the importance of robust cyber security measures,” he said.

Nitesh Patel further discusses the legal liabilities for Optus and the potential legal action against the company later this week.