Attorney-General Mark Dreyfus has already indicated that an overhaul of the Privacy Act is on the horizon. If revisions are passed, within the next few months companies will have to limit the amount of customer data stored on their databases.
This is both a logical and overdue measure. While the industry code of practice requires telcos to retain customers' names, addresses and account reference numbers for up to six years, mainly for potential debt recovery, the Optus breach detailed how the telco also stored the passports, licenses and Medicare details of millions of past and current customers.
This data is in the spotlight. Many organisations may hold onto and leverage this kind of information for commercial or marketing purposes. However, if it falls into nefarious hands, criminals can exploit the data for identity fraud and financial theft.
The worst case has sadly played out. Following the breach, attempts have already been made to exploit Australians with the leaked information. Australia's consumer watchdog is being flooded with scam complaints related to the hack and, earlier this month, there was the arrest of a teenager who'd used it to develop an SMS scam.
It's often a brutal exercise to look at hindsight following a breach, but the fact of the matter is that it was unnecessary to keep this data at all. To verify customers' identities, this information can always be requested again.
Beyond exposing customers to financial theft and identify fraud, holding onto data flies in the face of Australians' preference for autonomy. Last year, Deloitte's Australian Privacy Index found 79 per cent of consumers would like to exercise their right to erasure when on a brand's website, meaning they can demand a brand delete all data related to them.
And yet, according to the same study, only five per cent of Australian brands allow consumers this option.
The Albanese government has proposed the Online Privacy (OP) bill, which has been engineered to remedy gaps in the accountability of data storage. If passed, organisations that fall under the Privacy Act will need to honour requests from individuals that their data is not disclosed or used.
The bill will also increase financial penalties for organisations associated with the misuse of personal data. Where currently the maximum fine is AUD $2.1 million, the changes will increase this to either AUD $10 million or three times the value of gains generated through data misuse - whichever figure is higher.
READ MORE:
Australians are yearning for these or even harsher penalties, with 59 per cent indicating a preference for tougher fines - in the millions - for companies that leave their data open to theft.
Collectively, these measures indicate a shift towards stricter privacy laws more in line with those in Europe. The General Data Protection Regulation (GDPR) came into effect in 2018, and was created to regulate how companies protect and manage the data of individuals within the European Union (EU).
Any company that does business, sends employees, has customers or handles data associated with people travelling into the EU is subject to GDPR. This includes the personal data on employees' mobile devices.
Under GDPR, people have the right to be informed, the right of access, the right to rectification and the right to erasure, among other protections.
In addition, while Australian businesses currently have 30 days to assess whether a data breach is likely to result in serious harm before reporting it to authorities, under the Notifiable Data Breaches (NDB) scheme, GDPR requires organisations report cyber incidents within 72 hours.
In the Optus case, it took days for them to alert customers of the breach. In fact, their first port of call was the media, which left many pundits scratching their heads.
Penalties for failing to comply with GDPR are also notoriously unforgiving. In 2021, Amazon admitted it was forced to pay USD $877 million because of the way it collected and shared personal data via cookies.
Rather than waiting for the law to change, organisational leaders should start making inroads now to protect stakeholder data against cyber-crime.
This should begin with an assessment of the data currently on your database. As mentioned, there's no reason to hold onto email addresses or phone numbers of people who have long since departed your organisation. This creates both clutter and boundless opportunities for identity theft and fraud.
Given the interconnectedness of systems, leaders should engage comprehensive data protection that covers the entire spectrum of digital activity, including each user, their behaviour and the devices and applications they're using. As we saw in the Optus case, criminals are ready to pounce at a moment's notice and just one weak entry point can have catastrophic consequences.
It's also important to consider that people are now spread across a vast range of locations and using an almost limitless number of unmanaged devices and networks to work, consume and recreate. It's not uncommon for past and current employees to have access to an organisation's data through their mobile, and intentionally or unintentionally leak it.
Attaining visibility and control over your entire system will reduce the risk and impact of ransomware and other cyber threats, and ensure that personal information is better protected.
The Optus breach was a wake-up call for many Australians and businesses alike, and the collection and storage of data is now firmly in the crosshairs. The government has understandably responded by cracking the whip on any negligence with handling personal information, in line with public outrage at the exposure of their personal data.
But this could happen to any organisation, and with more stringent regulations on the horizon a data leak can quickly move from a reputation-tarnishing event to one that is financially crippling. Business leaders need to prepare for this new dawn and start thinking seriously about the data they truly need to keep, then how to best protect it.
