The Australian Information Commissioner opens an investigation into Optus regarding its data breach
October 11, 2022 |
Today the Australian Information Commissioner initiated an investigation. In other jurisdiction this step by a regulator is quite common. It is far less so in Australia. It is clearly required given the size of the data breach, the likely cause and the consequential events as Optus has struggled to remediate the damage.
The Commissioner’s statement provides:
The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (the Optus companies) in regard to the data breach made public by Optus on Thursday, 22 September 2022.
The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.
The OAIC’s investigation will be co-ordinated with that of the Australian Communications and Media Authority (ACMA), also announced today.
Australian Information and Privacy Commissioner Angelene Falk said the co-ordination of investigations by the OAIC and ACMA was a positive example of regulatory co-operation that would lead to efficient regulatory outcomes.
If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
While not commenting on the specific investigation, Commissioner Falk said the widespread attention given to the Optus data breach had highlighted key privacy issues that corporate Australia should take heed of.
“If they have not done so already, I urge all organisations to review their personal information handling practices and data breach response plans to ensure that information is held securely, and that in the event of a data breach they can rapidly notify individuals so those affected can take steps to limit the risk of harm from their personal information being accessed,” she said.
“And collecting and storing personal information that is not reasonably necessary to your business breaches privacy and creates risk. Only collect what is reasonably necessary.”
In line with the OAIC’s Privacy Regulatory Action Policy, the OAIC will await the conclusion of the investigation before commenting further.
About Commissioner-initiated investigations
The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Privacy Act 1988.
Preliminary inquiries will continue with the Optus companies to ensure compliance with the Notifiable Data Breaches scheme.
The Australian has rather breathlessly covered the story with Optus faces $2.2m penalty for each privacy breach. It is a very brave headline. Fines of that nature will not be in prospect unless the Commissioner commences a civil penalty proceeding in the Federal Court. Today’s announcement was an investigation, no more.
The story provides:
The privacy commissioner has begun an investigation into Optus’ handling of customer data which could seek civil penalties of “up to $2.2 million for each contravention”.
Commissioner Angelene Falk announced on Tuesday the Office of the Australian Information Commission would investigate whether Optus’ handling of consumer data complied with the Australian Privacy principles (APPs).
“The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business,” a statement from the OAIC read.
“The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints.”
The OAIC investigation will be co-ordinated with an investigation by the Australian Communications Media Authority.
The ACMA is working in conjunction with the Office of the Australian Information Commissioner and the Department of Home Affairs to ensure effective information- sharing across the respective jurisdictional investigations.
“When customers entrust their personal information to their telecommunications provider, they rightly expect that information will be properly safeguarded. Failure to do this has significant consequences for all involved,” ACMA chair Nerida O’Loughlin said.
“All telcos have obligations regarding how they acquire, retain, protect and dispose of the personal information of their customers. A key focus for the ACMA will be Optus’ compliance with these obligations.
“We look forward to full cooperation from Optus in this investigation.”
The Optus hack, first reported by this newspaper more than two weeks ago, saw the personal information of near 10m Australians exposed by a hacker who later claimed to have deleted the data after publishing the records of 10,000 people online. The hacker’s initial demand was $1.5m in the cryptocurrency Monero.
The Guardian has an interesting piece making the point, in Three investigations launched into Optus data breach, that there are now 3 investigations into the Optus Data breach. That can occur with significant events as different aspects attract the responsibilities of different agencies. But in the case of a data breach it is not good practice. It can slow investigations, is costly and may end up lacking in focus.
It Guardian story provides:
Three separate agencies are investigating Optus following the massive data breach revealed to the public on 22 September.
The Office of the Australian Information Commissioner (OAIC) has today commenced an investigation into the personal information handling practices of the telco and its parent company Singtel Optus.
The OAIC released a statement to say their investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business.
The OAIC’s investigation will be co-ordinated with that of the Australian Communications and Media Authority (Acma), also announced today.
Acma will investigate Optus’ obligations as telecommunications service provider, including relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections.
The Australian information and privacy commissioner, Angelene Falk, said the co-ordination of investigations would lead to efficient regulatory outcomes.
These investigations come as the consumer watchdog’s scam team continues to respond to 600 complaints a day related to the breach, according to the head of the Australian Competition and Consumer Commission (ACCC).
The ACCC chair, Gina Cass-Gottlieb, said many scammers were taking advantage of the large-scale data breach and posing as the telecommunications giant or Equifax Protect, the credit reporting agency tasked with supporting victims of the breach, to swindle consumers.
She told a parliamentary committee:
What we can see is it’s only a small number of people who have become a victim to a scam, but many are alert to it and are most of all confused and anxious.
The OAIC’s statement said that their investigation could see Optus forced to redress any losses and potentially face civil penalties:
If the OAIC’s investigation satisfies the commissioner that an interference with the privacy of one or more individuals has occurred the commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage.
If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the commissioner has the power to seek civil penalties through the Federal Court of up to $2.2m for each contravention.