Following the data breach of millions of Optus customers, the Office of the Australian Information Commission (OAIC) has launched a formal investigation into the personal information handling practices of Optus.
The OAIC, in collaboration with the Australian Communications and Media Authority (ACMA), will determine whether Optus took reasonable steps to protect consumers’ personal information from “misuse, interference, loss, unauthorised access, modification or disclosure” and whether the information collected and retained was necessary for the operation of the business. Additionally, the OAIC will consider whether Optus took “reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.
Australian Information and Privacy Commissioner Angelene Falk commented on the investigation as a “positive example of regulatory cooperation that would lead to efficient regulatory outcomes.” Moreover, the Minister for Cybersecurity announced that the Australian Government is going to roll out new cybersecurity reforms off the back of the Optus cyberattack. These changes are said to focus on infrastructure to enable financial institutions’ swift response to when data breaches occur. This way, financial institutions will be able to stop personal data from being used to access key accounts. Preventing such cybersecurity attacks in the future will require a collaborative approach between public and private sector bodies.
If the OAIC’s investigation finds that an interference with the privacy of one or more consumers has occurred, the Commissioner may make a determination to mandate that Optus implement new acts or practices to prevent such a situation from occurring again. However, if the investigation finds serious and/or repeated interferences with privacy legislation and policy, the Commission may seek civil penalties through the Federal Court against Optus for up to $2.2 million for each contravention.
For a full reading of the media release, see here.
We have assisted many clients manage data breaches, including by preparing breach notifications and managing compliance issues with regulators. We also regularly advise clients with privacy policies, privacy impact assessments (PIAs) and Data Breach Response Plans (DBRPs). Please contact us if you need help with your privacy and compliance requirements.