Peter A Clarke

The Attorney General is critical of the operation of the Privacy Act according to ‘A very outdated piece of legislation’: Optus hack highlights Privacy Act loophole.  This is hardly news.  What is good news is that reform of the Privacy Act is a priority.  How quickly that happens is less certain.  The the interminable Attorney General Department’s review will be wrapped up by years end and sometime next year the reform process will begin.

The article provides:

The cyberattack on Optus has spotlighted a legal quirk that means corporations don’t have to tell anyone they’ve been hacked.

A spokesperson for Attorney-General Mark Dreyfus told Crikey the federal government is considering plugging the loophole, which allows organisations that have been hacked to keep it a secret.

 “Millions and millions of Australians have been affected by the Optus data hack and are rightly concerned about the loss of their personal information,” the spokesperson said.

 “The Albanese government is committed to protecting the personal information of Australians.”

 The rules outlining when organisations have to disclose a hack are spelled out in the Notifiable Data Breaches scheme.

Under the scheme, companies are only required to tell the Office of the Australian Information Commissioner (OAIC) and hack victims that a breach has occurred if it’s deemed “eligible”.

But in order for a breach to be eligible, it has to meet certain criteria, including that the targeted organisation “has been unable to prevent the likely risk of serious harm with remedial action”.

The breach must also have involved unauthorised access to personal information, and be likely to result in serious harm to the individuals whose data was accessed, in order to be subject to mandatory reporting.

“There is huge scope for organisational judgment about disclosures … Public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker told Crikey.

 The pair have been trying to establish a database of hacks but have found the task almost impossible because there is no central hub of information.

“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues,” they said.

The attorney-general’s spokesperson said Dreyfus would consider “strengthening the Notifiable Data Breaches scheme in response to the Optus incident and as part of the Privacy Act review due to be completed by the end of this year”.

The review of the legislation, which took force in 1988, was initiated by the former government in 2020.

Dreyfus told the National Press Club last week that bringing the act’s review to a conclusion would be one of his goals in his first year as attorney-general.

“We have a very outdated piece of legislation in the Privacy Act,” Dreyfus said, with his office saying the review will inform an “overhaul” of the act next year.

The attorney-general also wants to see stiffer penalties for companies that incorrectly store data than today’s maximum fine, which sits at just above $2 million.

A recent report from the OAIC said 71% of hacks affect fewer than 100 people, meaning most hacks are likely to fly under the radar even though they may have a significant impact on victims.

The massive hack on Optus, which affected millions of customers, has been followed by other high-profile cyber incidents in recent weeks.

They include an attack targeting MyDeal, an online shopping website owned by grocery giant Woolworths Group, which confirmed at the weekend that 2.2 million customers had been affected.