The Optus Data Breach: Will It Lead to Privacy Reforms in Asia?
By Desarack Teso, CIPP-A/CIPP-E, Senior Advisor, Asia-Pacific | 4 November 2022
Photo by Galeanu Mihai on Unsplash
The Optus data breach in September has so far revealed that personal data of up to 10 million customers were compromised, including their home addresses, drivers’ licenses and passport numbers. Optus is Australian No. 2 mobile operator that is wholly-owned by Singapore’s Singtel.
In the wake of this massive data breach, the Australian government quickly moved to reveal its plans to pursue substantial reforms of the current Privacy Act, including increased penalties. Some of the major regulatory issues that are in scope for review include: What are the “reasonable security measures” to protect personal data? How long is the “timely manner” to report a data breach? What are the “reasonable steps” the organization must take to remediate the breach? What are the potential penalties to promote compliance?
High-profile and massive data breach incidents are hitting closer and closer to Asia. In addition to Australia, they will no doubt raise questions with other countries across the Asia Pacific, particularly those with a comprehensive privacy law in place but yet has rarely been tested.
What are “reasonable” security measures?
Many countries in Asia with comprehensive personal data protection laws require organizations to put in place “reasonable,” “practicable,” or “appropriate” security measures to protect personal data from unauthorized access, misuse, interference or loss. This regulatory approach is appropriate given the rapid pace of technology developments and the increased sophistications of the malicious actors.
The current reality is that malicious actors are now well-funded, and in some cases state-sponsored. As such, they can employ sophisticated tactics to gain unauthorized access to networks and systems, and there might not have been anything an organization could do about it despite the reasonable security measures it had in place. This is what will likely be investigated in the Optus case.
The scrutiny on “reasonable” security measures must take into account the organization’s size and resources, the complexity of its operations and business model, as well as the amount and type of the personal data it holds. In the Optus case – based on the amount and sensitive nature of the personal data it held, the size of the organization, its business model – these “reasonable” steps will likely need to be on the sophisticated end of the scale.
What is “timely” data breach notification or “reasonable” remediation measures?
Many countries in Asia require organizations to report a data breach “without undue delay,” or in “timely manner,” or “where feasible” within a specified number of hours (usually 72 hours) after having become “aware” of the breach. There is a consensus among cybersecurity experts that failure to report the data breach quickly can lead to serious harms to the data subjects, including subsequent financial or identity fraud.
Timely data breach notification must be accompanied by “reasonable” steps to protect personal data after the breach. An obvious reasonable step should include patching up any system vulnerabilities that have been compromised and that may lead to further unauthorized disclosure. Some critics are raising questions whether paying the ransom demand should be explored as a remedial measure. Notifying affected individuals so they can be vigilant and take steps to protect themselves should also be prioritized. However, most organizations must navigate any remedial measure against the potential damages to their corporate and brand reputations.
What are deterrent penalties?
The proposed privacy amendment bill submitted to the parliament by the Australian government include increasing the maximum penalties under the Privacy Act, and if passed, Australia will have the highest privacy breach penalties in the world.
Currently, the penalties for serious or repeated interference with privacy by companies is A$2.22 million. The proposal calls for penalties equivalent to the greater of: (1) A$50 million, or (2) three times the value of the benefit obtained; or (3) if that can’t be determined, 30% of the “adjusted turnover” during the “breach turnover period” for the past 12 months or duration of the privacy breach (whichever is longer).
For context, the General Data Protection Regulation (GDPR) provides for administrative fines of up to €20 million (approximately A$31 million), or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher, for serious infringement. China’s recently enacted Personal Information Protection Law provides for fines of up to RMB 50 million (approximately A$10.7 million) or 5% of the annual turnover of the preceding year for severe violations. These large penalties pale in comparison to what is being proposed in Australia.
Australia’s proposed privacy amendment bill was submitted to the parliament in October just a few weeks after the Optus breach was discovered in September. Moreover, the government has also confirmed that there will be a further privacy reform measures that will be revealed at the end of this year. These regulatory actions demonstrate that the government will move quickly and decisively in response to serious privacy breach.
Will other regulators in Asia take note of the Australia’s approach? One thing is for sure, organizations must remain vigilant in monitoring and engaging in any reform agenda and be well prepared to quickly comply with enhanced privacy and information security requirements.