Optus hack: Telcos face tougher fines in looming legal crackdown
Optus has become the latest telco to be fined for risking public safety. Photo: AAP
Optus and other telecommunications giants face a massive crackdown as the federal government prepares to rush through new privacy laws.
Tougher fines for data breaches and new requirements that force firms to dispose of data when they no longer need it are being considered as the fallout from the theft of 9.8 million Optus’ customers data widens.
Prime Minister Anthony Albanese said on Thursday that active discussions on privacy reforms are underway, saying it was “common sense” that companies like Optus should dispose of personal data more regularly.
“The former Government just ran out of steam some years ago. So, we’ve got a lot of catching up to do and this is one of the areas,” he said.
It came after Attorney General Mark Dreyfus flagged urgent privacy law reforms in an interview on the ABC’s RN Breakfast on Thursday, saying current protections aren’t strong enough to protect Australian’s data.
“For too long we have had companies solely looking at data as an asset they can use commercially,” Attorney General Dreyfus said.
“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians.”
The federal government hasn’t outlined exactly what legal changes it might pursue, though Home Affairs Minister Clare O’Neil has said that current penalties for data breaches aren’t tough enough.
“We’ve got a company here [Optus] that has seen a breach of data of more than half of the adult population of Australia,” Minister O’Neil told the Nine network.
“In other countries around the world they would be subject to hundreds of millions of dollars worth of fines.
“In Australia the maximum fine we can attach to this kind of breach in the Privacy Act is $2.2 million, which for a massive company like Optus is really a drop in the ocean.”
Optus is also facing pressure to foot the bill for customers to have their information — including passports and licenses — replaced, while the government considers whether new Medicare cards are needed.
After initially failing to disclose that Medicare details were leaked in the hack last week, Optus revealed on Wednesday night that nearly 37,000 people had their medicare card numbers stolen in the hack.
Authorities questioned whether Optus fully disclosed what information was stolen after an online account claiming to be the hacker released a sample of stolen data on 10,000 people, containing Medicare numbers.
Of the 37,000 stolen Medicare numbers about 14,900 are valid and have not expired, while a further 22,000 are expired, Optus said.
Attorney General Dreyfus said legislative changes could be introduced to parliament by the end of the year.
“It is certainly not just simply about increasing penalties, although that will be part of the reforms we are going to look at,” he told reporters in Canberra on Thursday.
“We need to make sure that companies who are keeping Australians’ data pay absolute attention to keeping that data safe.”
However, the federal opposition has criticised the government for not implementing reform to online privacy that was recommended from a previous coalition review.
Opposition communications spokeswoman Sarah Henderson said the previous calls for reform had fallen on deaf ears.
“It should not have taken the cyber attack on Optus to wake up this government,” she said.
“The protection of Australians’ personal information online must be a high priority for the Albanese government.
“It is critical that our laws continue to be updated to ensure the online protection and safety of all Australians.”
Under the coalition proposal, large telcos and social media companies with more than 2.5 million users would be required to obtain fully informed consent to be able to use personal information, and to stop using the information on request.
Increased fines of up to $10 million for serious breaches would also apply.
The data breach prompted nearly all states and territories to allow affected residents to apply for new driver’s licence numbers.
‘Long-tail impact’ of Optus hack
Financial Services Minister Stephen Jones has also held key talks with the consumer watchdog about the consumer impacts of the huge hack.
The meeting on Thursday with the Australian Competition and Consumer Commission also included regulators and banking representatives.
Minister Jones said while the response to the breach had been wide-ranging, the consequences of the incident would linger.
“There’ll be a long-tail impact of this data breach,” he told reporters in Sydney.
“There is no lack of goodwill to co-operate, from the Commonwealth, from the banks and even the telecommunications companies.
“People understand the scale of this and we are moving as fast as we can.”
Minister Jones said Optus had a responsibility to the almost 40 per cent of Australians affected by the data breach.
It comes as the government is looking at introducing urgent reform to privacy laws.
Prime Minister Anthony Albanese has demanded Optus pay for the cost of replacing passports for customers whose data was hacked, saying it was the telco’s blunder.
“Companies need to be held to account here, and that is something my government is determined to do,” he told 5AA radio on Thursday.
Foreign Minister Penny Wong wrote to Optus chief executive Kelly Bayer Rosmarin on Wednesday, saying there was “no justification” for affected customers or taxpayers to foot the bill.
Attorney General Dreyfus said he saw no reason why telcos needed to keep data used to validate identification, such as a driver’s licence or passport, for a decade.
“Obviously, the more data that’s kept the bigger the problem there is about keeping it safe — the bigger the problem there is about the potential damage that’s going to be done by a huge hack that’s occurred here,” he said.
-with AAP