Federal Government announces new regulations regarding the sharing of personal information after a data breach

October 6, 2022 |

There is a very valuable legal maxim that all governments and judicial officers should always have at the front of mind; hard cases make bad law.  It has some bearing on the response to the Optus Data breach which is morphing into a saga.  Knee jerk responses to the breach may create legal and administrative problems into the future.

The Attorney General’s announcement of a significant reform of the Privacy Act is a welcome step. It has been a long time coming.

The amendments to the Telecommunications Regulations 2021 to permit telecommunications to temporarily share government identifiers with, essentially, banks is an understandable response.  But it creates yet another, albeit only 12 month, exemption to an already overly complicated area of law.  It is also specific to one industry, telcos.  There are thousands of businesses which have collected government identifiers and may suffer a data breach.  The use of ID scanners is ubiquitous.

This may be the largest breach of Australian records but it is not the last major data breach.  They are regular occurrences.  Taking the United States and Europe as a guide organisations need to attend to mitigating damage.  Engaging government if there is a breach over a certain size but not if less is poor public policy.  What is needed is proper laws and strong enforcement.  That will change the culture and the response by organisations.

The joint statement of Minister for Communications Michelle Rowland and Jim Chalmers Changes to protect consumers following Optus data breach provides:

The Albanese Government has prepared amendments to the Telecommunications Regulations 2021 to better protect Australians following the Optus data breach

The Government will recommend to the Governor-General that the regulations be amended to allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.

The amendments will enable telecommunications companies to temporarily share approved government identifier information (such as drivers licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach.

In addition, Optus will be able to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud.

The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes. Specifically:

    • The regulations cover financial institutions that are regulated by APRA, excluding branches of foreign banks
    • The Communications Minister has the ability to specify additional services entities, if required, but only for entities that are related to or support an APRA-regulated entity
    • Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identify theft
    • Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate
    • Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data
    • Information received must be destroyed once it is no longer required.

The proposed changes will also allow for increased fraud detection in the broader financial services sector through existing industry mechanisms to report fraudulent transactions, such as fraud information exchanges.

In addition, the Council of Financial Regulators’ cybersecurity working group will examine and report on options to further improve the ability of financial institutions to identify at risk customers and credentials by utilising an existing secure and privacy protecting data sharing platform, to enable financial institutions to further enhance their protections for consumers from financial crime. 

In developing this approach, the Government has undertaken extensive consultation across Commonwealth agencies, financial system regulators, Optus, the banking sector, major telecommunications providers, and the Australian Information Commissioner.

The financial regulators have taken additional steps to protect customers, including through the ACCC’s ScamWatch, and direct engagement with financial institutions. 

Financial institutions have also been proactive in response to the data breach, including through implementing heightened controls on those accounts identified as at higher risk.

Quotes attributable to the Hon Jim Chalmers MP, Treasurer: 

“Our Government has been working in lockstep with banks and financial regulators to facilitate the safe and secure sharing of data between Optus and regulated financial institutions, with appropriate safeguards, to improve consumer protection.

Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach. These new measures will assist in protecting customers from scams, and in system-wide fraud detection.”

Quotes attributable to the Hon Michelle Rowland MP, Minister for Communications:

“The Albanese Government takes seriously the protection of personal information. The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for designated purposes.

This will enable Optus, the financial services sector and relevant agencies to work together more effectively, to implement enhanced monitoring and safeguards to protect customers affected by the breach.”i

This proposed amendment is covered in Labor unveils privacy reforms after Optus hack which provides:

The government has announced changes to telecommunications regulations in the wake of the Optus data breach, which will allow telcos to share information with the government and coordinate with financial institutions to prevent fraud.
The amendments will allow telcos to “better communicate with financial institutions to detect and mitigate the risks of malicious activity, including ID theft and scams,” Communications Minister Michelle Rowland told a press conference on Thursday.
They will also allow Optus to share “limited information about customers” with government agencies, such as Services Australia, to assist in preventing fraud.
“What this is all about is to try and reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring,” Ms Rowland said.
The government had “consulted widely” in relation to the changes, she added.
“We have designed these regulations with strong privacy and security safeguards to ensure that only limited information is made available for a specific set of designated purposes,” Ms Rowland said.
The amendments, which will be recommended to the Governor-General, have been “carefully designed” with regard to privacy, Jim Chalmers has said.
“Only limited information can be made available temporarily to prevent and respond to cyber security incidents, fraud, scams and related activities,” the Treasurer told the press conference.
The amendments cover financial institutions that are regulated by the Australian Prudential Regulation Authority, apart from foreign bank branches, and give Communications Minister Michelle Rowland the authority to add financial service entities if required.
Information that will be shared could include drivers licences, and Medicare and passport numbers of affected customers — but not names, addresses, dates of birth or other personal information, Dr Chalmers said.
Dr Chalmers acknowledged that smaller institutions may not have the capacity to digest and transmit data according to the requirements. The Council of Financial Regulators will provide support to those institutions to identify their at-risk customers via existing data sharing platforms.

The story has also been covered by the ABC with Government strengthens powers for telcos to share affected data following Optus hack which provides:

The federal government has released planned changes to telecommunications laws following the Optus data breach, which affected nearly 10 million customers and former customers.

Changes to telecommunications regulations will allow drivers licences and Medicare and passport numbers to be temporarily shared with financial services so they can implement enhanced monitoring for people affected by the Optus breach.

Optus will also be able to share that information with Commonwealth and state and territory agencies to assist in fraud detection.

Treasurer Jim Chalmers said the changes would help make customers affected by the breach safer.

“Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach,” Mr Chalmers said.

“These new measures will assist in protecting customers from scams, and in system-wide fraud detection.”

Financial institutions will have to make several undertakings in order to receive the data, including to destroy the information when it is no longer required and to honour privacy obligations.

Institutions will only be able to use the data to help protect consumers from fraud as a consequence of the hack. 

The government has also asked the Council of Financial Regulators to examine and report on options to further strengthen the ability for banks and other institutions to identify at-risk customers.

Mr Chalmers and Communications Minister Michelle Rowland said financial institutions had been proactive in the breach — though the government has previously criticised elements of the Optus response, including a delay in notifying that Medicare numbers had also been caught up in the hack.

Ms Rowland said the changes were designed to maintain the privacy and security of sensitive data.

“The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for designated purposes,” she said.

The new regulations will be in place for 12 months.

Leave a Reply





Verified by MonsterInsights