The Optus Data Breach // Takeaways and next steps for businesses

The recent Optus data breach has rightly been a topic of conversation and a huge cause for concern for both individual users affected and businesses that process personal information. The breach highlights the vulnerability of companies to cyberattacks and shows the devastating impact on individuals and affected companies, legally, financially and reputationally.

We’ve set out our thoughts on how businesses can learn from Optus’ experience to reduce the risk to them and to their customers in the event they experience a cyberattack or data breach.

What do we know?

At this stage, we know that Optus was subject to a cyberattack, which resulted in unauthorised access and disclosure by a third party of customer personal information. The customer personal information included names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers and medicare numbers.

What are some important takeaways for businesses?

What is most interesting here is why Optus had kept personal information of its current and former customers for as long as it did, up to a period of 6 years.

The main piece of Commonwealth legislation governing the collection, use and disclosure of personal information, the Privacy Act 1988 (Cth) (Privacy Act) requires entities to take reasonable steps to destroy or de-identify personal information when the entity no longer needs it, subject to some exceptions. One of these exceptions is if the entity is required to keep the personal information for a longer period under another Australian law.

Optus, like many companies, is subject to Australian laws that require it to keep particular information for a certain amount of time. An example of this is that Optus is required to be able to provide customers or former customers billing information for up to 6 years prior to the date information is requested under the Telecommunications Consumer Protections Code and is also required to keep information for identification purposes (as well as other information) for a minimum of two years under the Telecommunications (Interception and Access) Act 1979 (Cth).

Companies must be able to balance the requirements of these laws with the requirements of the Privacy Act to delete or de-identify personal information when they no longer need it for the reasons they collected it for. For example, if a law requires you to keep records of customer complaints for a certain amount of time, you should only keep the minimum amount of information needed to keep those records and delete or de-identify any other information when you no longer need it.

What can I do to reduce the risks to my customers and to my business if my business was subject to a cyberattack?

There are many things that companies can do to help prevent data breaches and mitigate the damage that occurs if a cyberattack does occur:

1. It is important for businesses to have in place clear policies and practical procedures, both for the business and for its customers, to ensure that they are not holding personal information that they do not need or for longer than they should be. This will reduce the risk to affected individuals in the event of a data breach, and also, the risk to the business itself if it were found to be handling that personal information unlawfully, such as retaining or using the information when it no longer needs it for the purpose it collected the information or storing personal information that you did not need to collect in the first place.

2.   All data retention and security policies should be easily accessible and understandable by all of staff, and businesses should have clear procedures in place which flow down from these policies in relation to responsibilities, processes and technical measures (for example, using particular functions in the software or cloud service providers that you use) to ensure that you are deleting or de-identifying any personal information that you don’t need anymore.

3.   Businesses should regularly carry out ‘health checks’ and assessments to ensure that their policies, procedures and technological safeguards are effective and appropriate including wherever there is a change in the business’ operations.

4.  Policies and their associated procedures should be reviewed and updated regularly to ensure that they continue to reflect the operations of the business and reflect current best practice (which is evolving constantly as technology changes and more incidents like the Optus breach demonstrate the risks associated with handling personal information).

5.  Businesses should also have measures in place which prompt your customers or users to regularly change their passwords, with multi-factor authentication in place where practicable, particularly where your business may hold information that poses more risk to your customers in the event there were a cyberattack or data breach, such as health information, financial information, IDs, etc.

What next?

Businesses should be aware that the Privacy Act is being reformed by the Australian government at the moment, with the reformed Privacy Act expected to be released in 2023. The reforms are likely to be subject to greater scrutiny and take on new importance with the Optus breach highlighting how critical protection of personal information is.

One of the many items being considered in the reforms are the data retention and destruction requirements under the Privacy Act. The proposed position under the reforms is stricter than the current position, so it is best for companies to get on top of their data retention practices now, as it is likely to make any further steps following the reforms less onerous.

What we can do to help?

We help businesses every day implement, review and improve appropriate personal information controls to comply with their legal obligations and manage the reputational and financial risk. Critically now, we conduct privacy audits to review and recommend improvements to your policies, procedures and operations.

If you would like know more about what you can do for your business to reduce your risk and the risk to your customers in the event you are subject to a data breach, as well as ensuring you are complying with your obligations under the Privacy Act, please reach out to our Commercial Team for a free initial consultation. We’re here to help.