Optus could face millions of dollars in fines from regulators following the announcement of co-ordinated investigations into the breach that saw the personal information of 9.8 million Australians exposed.
The Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) announced their investigations into Optus’s handling of data in separate press statements on Tuesday.
Privacy Commissioner Angelene Falk said the Optus breach should be a warning to all organisations in Australia that they need to be extra careful about their how they manage data.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“Collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
ACMA Chair Nerida O’Loughlin said there are “significant consequences” when personal information isn’t safeguarded.
“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers,” she said.
“A key focus for the ACMA will be Optus’s compliance with these obligations”.
Andrew Sheridan, Optus's Vice President of Regulatory and Public Affairs said the telco "is committed to working with governments and regulators as we respond to the the impacts of the cyber attack".
He added that Optus "will engage fully" with the OAIC and ACMA during their investigations.
The OAIC noted in its statement that it can take Optus to court and seek fines of up to $2.2 million for each “serious and/or repeated” contravention of the privacy principles.
In early 2020, the OAIC began court proceedings against Facebook for the Cambridge Analytica scandal which affected more than 300,000 Australians.
That landmark case is still making its way through the Federal Court, but it’s worth noting the OAIC initially alleged each instance of personal information disclosure in that incident constituted a breach of the Privacy Act.
The suggestion is Facebook could, at the extreme end, be looking at $500 billion worth of fines if the court agrees.
We won’t know whether the OAIC or ACMA intend on taking Optus to court for the breach until they finish their investigations, but with nearly 10 million customers affected – at least 1.2 million of whom had current licence, passport, or Medicare numbers exposed – the debacle could end with a large fine for the telco.
The government said it would reform the Privacy Act in the wake of the Optus breach with bigger fines “part of the reforms”, according to Attorney General Mark Dreyfus who recently promised better data protections were in the pipeline.
"Australians need to be assured that when their data is asked for and taken from them by a private company or by government that it will only be used for the purpose for which it has been collected,” he said.
“We need to get in place something that encourages companies to dispose of data safely, to not keep data when they no longer have a purpose for it.”