The cyberattack on Optus has spotlighted a legal quirk that means corporations don’t have to tell anyone they’ve been hacked.
A spokesperson for Attorney-General Mark Dreyfus told Crikey the federal government is considering plugging the loophole, which allows organisations that have been hacked to keep it a secret.
“Millions and millions of Australians have been affected by the Optus data hack and are rightly concerned about the loss of their personal information,” the spokesperson said.
“The Albanese government is committed to protecting the personal information of Australians.”
The rules outlining when organisations have to disclose a hack are spelled out in the Notifiable Data Breaches scheme.
Under the scheme, companies are only required to tell the Office of the Australian Information Commissioner (OAIC) and hack victims that a breach has occurred if it’s deemed “eligible”.
But in order for a breach to be eligible, it has to meet certain criteria, including that the targeted organisation “has been unable to prevent the likely risk of serious harm with remedial action”.
The breach must also have involved unauthorised access to personal information, and be likely to result in serious harm to the individuals whose data was accessed, in order to be subject to mandatory reporting.
“There is huge scope for organisational judgment about disclosures … Public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker told Crikey.
The pair have been trying to establish a database of hacks but have found the task almost impossible because there is no central hub of information.
“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues,” they said.
The attorney-general’s spokesperson said Dreyfus would consider “strengthening the Notifiable Data Breaches scheme in response to the Optus incident and as part of the Privacy Act review due to be completed by the end of this year”.
The review of the legislation, which took force in 1988, was initiated by the former government in 2020.
Dreyfus told the National Press Club last week that bringing the act’s review to a conclusion would be one of his goals in his first year as attorney-general.
“We have a very outdated piece of legislation in the Privacy Act,” Dreyfus said, with his office saying the review will inform an “overhaul” of the act next year.
The attorney-general also wants to see stiffer penalties for companies that incorrectly store data than today’s maximum fine, which sits at just above $2 million.
A recent report from the OAIC said 71% of hacks affect fewer than 100 people, meaning most hacks are likely to fly under the radar even though they may have a significant impact on victims.
The massive hack on Optus, which affected millions of customers, has been followed by other high-profile cyber incidents in recent weeks.
They include an attack targeting MyDeal, an online shopping website owned by grocery giant Woolworths Group, which confirmed at the weekend that 2.2 million customers had been affected.
Should the government change the rules around data breach disclosures? Let us know by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.