A string of major data breaches by an Australian telecommunications provider, a large retailer, and private health care provider has resulted in far-reaching implications for both Australian and international businesses and consumers. The introduction of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Privacy Bill) signals that the data security landscape in Australia is changing to spark better data handling and cybersecurity practices.

This article outlines the implications of these major data breaches, regulatory responses including changes to the Privacy Act, and the lessons businesses can take from these data breaches.

A Ripple of Implications

Customers involved in these breaches are now vulnerable to identity theft, fraud, interference, and scams. There have been two reported attempts by hackers to extort money from the companies that were the subject of large data breaches. Both companies have rejected the hacker requests, which has resulted in the publication of customer’s personal data on the internet.

The Australian Competition and Consumer Commission’s (ACCC) Scamwatch has raised alerts for consumers to be cautious about fraudulent emails asking people to enter their details to apply for replacement documents and compensation. They have also reported fake phishing texts circulating as a result of the personal information being leaked.

Proposed Changes to the Law

In response to these breaches, The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Privacy Bill) was introduced into Parliament on 26 October 2022. The Privacy Bill intends to amend the Privacy Act to introduce tougher penalties and strengthen the privacy and cybersecurity frameworks for organisations.

The Privacy Bill in its current form is expected to:

  1. Increase the penalties for serious or repeat privacy breaches by an organisation. The maximum penalty is increased from $2.2 million to the greater of:
    1. $50 million
    2. 30% of the Company’s turnover; or
    3. 3 times the value of the benefit the Company obtains from the misuse of the personal information.
  2. Expand the scope of organisations covered by the Privacy Act, the Act will apply extra-territorially to qualifying foreign organisations.
  3. Grant the Office of the Australian Information Commissioner (OAIC) new powers to:
    1. seek information from organisations and assess data breach compliance;
    2. share information with other regulators to help further its functions under the Privacy Act; and
    3. issue infringement notices if an organisation does not comply with an OAIC request.

The Attorney-General also completed its Privacy Act 1988 Review (Privacy Act Review) in January 2022. It is anticipated that reforms considered in the Privacy Act Review will be escalated to Parliament following these major data breaches.

Other Regulatory Responses to the Breaches

OAIC’s response

The OAIC has launched an investigation into the large data breach involving a telecommunications provider. The OAIC will investigate whether the Company ‘took reasonable steps to protect personal information they held from misuse, interference, loss, unauthorised access, modification, or disclosure, and whether the information collected and retained was necessary to carry out their business’.

The OAIC will also work with the Australian Communications and Media Authority (ACMA) who launched their own investigation. ACMA’s investigation will look into the Company’s data handling practices and whether the Company acted consistent with its obligations as a licensed telecommunications firm.

The OAIC is also making preliminary inquiries with a private healthcare provider involved in a data breach to ensure it complied with the Notifiable Data Breach Scheme.

Telecommunications Regulations

The Treasury and Ministry for Communications released a statement announcing that amendments will be made to the Telecommunications Regulations 2021 in response to the data breach.

These changes are aimed at improving coordination between financial institutions, the Commonwealth, and States and Territories, ‘to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.’ These await approval from the Governor-General.

Law Enforcement Involvement

For the breach involving the telecommunications provider, both domestic and overseas law enforcement agencies have been involved in Operation Hurricane to try to uncover the identity of the hacker who caused the breach. There is a concurrent operation called Operation Guardian launched by the Australian Federal Police who are working to protect the customers that are at a high risk of identity theft and other fraudulent activity. As the breaches increase in size and scale, Operation Guardian is being expanded.

Lessons for your Business

It is time to look introspectively and assess what kind of culture and attitude your organisation has to privacy. The Government’s new legislation has imposed stronger penalties meaning that you need to be proactive in your approach to privacy. The significantly higher penalties demonstrate that the Government is ready to crack down on complacency and poor data practices.

Your business needs to review its policies and procedures to ensure they comply with the Privacy Act, to avoid the risk of significant fines. It is important to also be aware that privacy reforms are expected, and this means that older privacy materials and practices may no longer be fit for purpose. For foreign businesses that operate in Australia or hold Australian personal information, it is crucial to determine whether you are caught by the Privacy Act, and if you are, to ensure that your practices comply with the Privacy Act.

A key takeaway from these data breaches is that organisations are holding on to more information than they reasonably need for their business functions.

Businesses continuing to work from home are easier targets for cybersecurity breaches. It is important to have robust cybersecurity programs that protect your work devices from hacking, data breaches, phishing, and ransomware. This includes understanding who your cloud provider is, where your client personal information is held, and what third parties can access and use it.

Here are a few things your business can do to prepare for the changes:

  1. Review personal information collecting and handling practices.
    • Take inventory of what personal information you have collected, whether it is sensitive information, and why you need it for your business operations.
    • Determine how long your organisation should hold onto personal information that is collected in connection with your business practices.
    • Have appropriate data deletion processes in place for information you no longer require.
    • Assess the data handling practices of third parties that you share personal information with to ensure that customer personal information is adequately protected.
    • Stay alert to changes to the Privacy Act.
  1. Review existing cyber security protections.
    • Take inventory of what software and assets you need to protect. Implement appropriate software and hardware solutions and protocols such as two factor authentication that will protect your organisation.
    • Determine if your business has appropriate procedures for reporting a data breach.
  1. If your business allows working from home, consider what additional steps you need to take to prevent cyber risks.

 

Please get in touch if you would like assistance with understanding how this may impact your organisation.