Optus data breach shows need for stronger privacy laws

Last week Optus announced what may be the largest data breach in Australian history, potentially exposing the personal information of almost 10 million people. Current and former Optus customers are at risk of their name, date of birth, phone number, email and physical address, passport number and drivers’ licence numbers becoming compromised. 

Digital Rights Watch is deeply concerned about the severity and scale of this breach, the harm it will cause to individuals, and the apparent lack of robust digital security and privacy protections in place which could have prevented the breach or minimised its impact. 

This breach is a perfect example of the dangers of collecting and storing large amounts of personal information. It’s a stark reminder of the long-overdue need for reform to the Privacy Act, as well as a strong regulator to enforce it.  

The Federal Government is set to announce new security measures following the breach, with particular emphasis on enabling faster and easier data breach notification for banks and other institutions.  

Digital Rights Watch is concerned that the answer being put forward in response to a massive data breach is to make it easier for data to be shared between large companies.  

We urgently need a Privacy Act that is fit for purpose in the digital age. This means minimising how much information companies can collect, use, store and share, and giving individuals a direct right of action when companies fail to protect their customers’ information. We also need a well-resourced privacy regulator with the power to inflict strong penalties upon companies that fail to do the right thing.

“While we do need companies to work together to minimise the risk of harm in the case of data breaches such as this one, what we really need is to start thinking about the long term. That means significant privacy reform. This may be the biggest data breach in Australia’s history, but the next one is likely to be just around the corner.” – Lizzie O’Shea, Digital Rights Watch Chair

Minimise the data collected, minimise the risk of harm

Perfect security doesn’t exist, so the best way to minimise possible harm caused by a breach like this is to only collect and store the smallest amount of personal information necessary.  

Companies regulated by the Privacy Act are already supposed to only collect personal information that is necessary for a given purpose. It is clear that this requirement is not strong enough. We need privacy laws that will ensure the companies only collect and store the minimum amount of personal information, and that there are harsh penalties when they collect more than they need, given the risk it creates for the individuals involved.

“You have no choice but to hand over your personal information, including identity documents, to services like telcos. It’s not something you can just opt out of if you want to participate in modern life. These companies have a responsibility to only collect the minimum information that is necessary and to protect the information they do have.” – Samantha Floreani, Digital Rights Watch Program Lead.

A direct right of action for people harmed by a loss of privacy

This news has left people wondering what they can do to protect themselves. And while there are some steps that may minimise the harm, such as setting up additional authentication mechanisms on accounts or considering putting in place a credit ban; none of this is foolproof, and it won’t prevent future breaches like this from happening. The reality is that as long as companies are collecting large amounts of personal data, this risk will always exist.

People are rightfully angry and scared about what is going to happen with their information. 

“What makes it worse is that there is no recourse for people who are impacted. That’s why we need systematic privacy reform that focuses on preventing these kinds of breaches in the first place. And when companies get it wrong, there should be significant consequences and a clear pathway for people to take action.” – Samantha Floreani, Digital Rights Watch Program Lead.

Individuals should be able to directly take companies and other organisations who have breached their privacy to court. This would be an improvement on the current system which relies on channeling complaints through the privacy regulator. 

“Companies should also face significant fines for doing the wrong thing. The current test for compensation is based on harm suffered. The trouble is, a breach like this requires people to take proactive steps to guard against harm, and they may suffer harm much later in unexpected ways. The test for compensation must change.”  – Lizzie O’Shea, Digital Rights Watch Chair. 

The Privacy Act has been in review for years. We need the government to act soon to ensure that Australia’s privacy laws are up-to-date with the digital age and keep all of us safe.

Click here to send a message to Attorney General Mark Dreyfus calling for him to prioritise real privacy reforms to keep Australians safe online.