The recent cyber-attack on Optus, which resulted in the unauthorised disclosure of the personal information of millions of Australian customers, is a timely reminder to all owners and operators of critical infrastructure and other Australian organisations of their statutory obligations to prevent and report cyber security attacks.
The Optus data breach is the first major cyber security incident since the reforms to expand the scope and powers under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). As a telecommunications carrier, Optus is subject to the SOCI Act. However, as we have summarised previously here and here, the amended SOCI Act now extends beyond telecommunications to most other sectors of the Australian economy including data storage and processing, financial markets and payment systems, food and groceries and electricity and gas.
Owners and operators of critical infrastructure assets only have until 8 October 2022 to provide details of their critical infrastructure to the Cyber and Infrastructure Security Centre (CISC), which is charged with maintaining a Register of Critical Infrastructure Assets. The purpose of this reporting obligation is designed to ensure that CISC and other Federal Government agencies have the information they require to step in and assist Australian organisations to respond to a cyber incident.
Federal Government agencies have taken a key role in responding to the Optus data breach. Home Affairs Minister Clare O’Neil has publically stated that “the full weight of cybersecurity capabilities across government, including the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police are working round the clock to respond to this breach”.
What is currently unclear is whether the Federal Government exercised its statutory powers to ‘step-in’ under the SOCI Act, or whether Optus simply requested assistance. In August 2022, it was reported that the Federal Government designated 82 of the most sensitive critical infrastructure assets as ‘systems of national significance’ (SONS) under the SOCI Act. It is unclear as to whether Optus’ assets were designated, but if they were, then Optus may be required to undertake cyber security exercises and assessments with the Department of Home Affairs which potentially would have identified vulnerabilities. Although any designation may have come too late to prevent this particular incident.
Sector-specific cyber security obligations
Outside of the SOCI Act, organisations may be subject to sector-specific security obligations. For example, the Telecommunications Sector Security Reforms (TSSR) requires that carriers such as Optus protect their networks and facilities from unauthorised access and interference by maintaining competent supervision and effective security controls.
The penalties for breach of these general security obligations under the TSSR are fairly low and capped at $250,000 per contravention. This may be subject to review given comments by government about the inadequacy of current penalties.
Much of the media attention relating to the Optus data breach has focused on a potential contravention of privacy laws.
The Australian Privacy Principles (APPs) are the basis of the privacy protection framework in the Privacy Act 1988 (Privacy Act). APP 11 imposes a general security obligation on regulated entities to take reasonable steps to protect personal information they hold from misuse, interference, loss, or unauthorised access, modification and disclosure. There is no doubt that what constitutes ‘reasonable steps’ is rapidly expanding to address the increasing threat environment.
Under APP 3 organisations may only collect personal information that is reasonably necessary for their work. In addition, APP 11 requires that businesses destroy or de-identify personal information once it is no longer needed for a purpose it was collected.
The fact that Australian businesses are increasingly seeking to leverage data assets by collecting and holding greater amounts of personal information means that businesses need to be cognisant of their APP 3 and APP 11 obligations. Along with the general risk of non-compliance, retaining data for longer than necessary presents an increased opportunity for malicious actors which may otherwise be mitigated by appropriate data handling processes.
The Optus data breach has also raised significant public concern over the disclosure of government identifiers, such as passport details, and questions as to why Optus was holding this information.
Carriers are required to collect this type of information for identity verification purposes and must continue to hold onto it for prescribed periods to meet data retention obligations in the Telecommunications (Interception and Access) Act 1979 (Cth). In addition, under Section 113 (and similar) of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), certain identification records must be kept for seven years. However, the AML/CTF Act only applies to ‘reporting entities’, which are those which provide certain financial services, precious metals-related services, and gaming and wagering services. These sector-specific laws highlight the complexity in implementing compliant data retention and erasure policies.
It seems likely that the Optus data breach will trigger regulatory reform. The Home Affairs Minister has already signalled her intention to overhaul data security and privacy laws. Based on the Minister’s numerous recent statements, it seems likely that greater regulatory scrutiny and higher penalties will be considered, likely bringing Australia’s privacy law into line with Europe’s General Data Protection Regulation (GDPR) regime.
The Home Affairs Minister has commented that the current penalty for organisations who fail to comply with their privacy obligations – a maximum of A$2.2 million – is “totally inappropriate”. Any move to increase the penalty is likely to be bi-partisan given that the former Morrison Government released an exposure draft of privacy law amendments to increase penalties applicable for serious and repeated breaches of privacy to the greater of:
- A$10 million;
- three times the value of any benefit obtained through the misuse of information; or
- 10% of the entity's annual Australian turnover.
It has also been suggested that regulations will be introduced requiring organisations to share information about data breaches with financial institutions to mitigate the misuse of the information that has been disclosed and minimise further harm.
The Optus data breach is a timely reminder, not only for owners and operators of critical infrastructure assets, but for Australian companies at large, of their cyber security obligations and the need to review their data security and retention practices to ensure legislative compliance.
Boards should be cognisant of directors’ duties when overseeing cyber security policies and the management of cyber security incidents.
A prudent starting point would be to assess the application of the SOCI Act to your business and conduct an external privacy and security audit to ensure current policies and controls are fit for purpose and compliant with statutory obligations.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.