Companies are set to be forced to cut back the vast amounts of sensitive data they retain about their customers under changes to privacy laws being considered by the Albanese government in response to the Optus cyberattack.

Optus is facing major fines and damages payouts under current rules, even as the government prepares to significantly increase financial penalties for companies that fail to secure customer details from hackers.

Attorney-General Mark Dreyfus has questioned why companies are keeping so much sensitive information on customers.Credit:Eddie Jim

Attorney-General Mark Dreyfus said he wanted to overhaul privacy laws within months as he questioned why Optus kept customers’ personal document identification numbers for years, even after they left the telecommunications giant.

Companies appear to be hoarding troves of customer data for commercial benefit rather than simply to comply with government regulations, Dreyfus said.

The government’s top privacy official agreed, saying laws need to be updated to ensure companies retain only essential personal information about their customers and face greater consequences for not securing it appropriately.

Assistant Treasurer Stephen Jones said the hacker responsible for the Optus attack appeared to be a “kid in a garage” rather than a sophisticated state actor.

The government is still waiting on a response from Optus over the demand the company pay for replacement passports for affected customers.

Dreyfus said companies that inspected driver’s licences or passports to confirm their customers’ identities did not need to retain the information for years afterwards.

“For too long, we’ve had companies solely looking at data as an asset that they can use commercially,” he said.

“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians.”

The Privacy Act is under review and Dreyfus said he wanted new legislation to be drafted this year.

Australian Information and Privacy Commissioner Angelene Falk said: “The regulatory framework needs to shift the dial to place more responsibility on organisations who are the custodians of Australians’ data, to prevent and remediate harm to individuals caused through the handling of their personal information.”

She added: “Organisations should also make sure that they are only gathering personal information that is necessary to carry out their business.

“When that information is no longer required, they must take reasonable steps to destroy or de-identify the personal information they hold.

“Collecting and storing unnecessary information breaches privacy and creates risk.”

The Sydney Morning Herald and The Age reported this week that metadata laws designed to help law enforcement detect criminals online do not tell phone companies what identity documents they have to keep on their customers.

Australian Computer Society chief executive Chris Vein backed a revamp of privacy and cybersecurity laws, saying: “Over the past decade we have seen a range of security, data retention, money laundering and privacy legislation to address various problems with little co-ordination between those laws.”

Optus has admitted that almost 37,000 Medicare numbers were exposed as part of the hack that affected about 10 million people. Of those, 22,000 were expired but only one digit changes in a Medicare number with a new card.

As police continue to investigate who was behind the attack, Assistant Treasurer Stephen Jones told Sky News: “If you just look at the amount of ransom or bribe that was sought by the actor … someone who asks for a million dollars, that’s more the ring of a kid in a garage than a state actor, I’ve got to say.”

The company’s Singaporean parent company, Singtel, issued a statement late Wednesday apologising to Optus customers and backing the company’s chief executive, Kelly Bayer Rosmarin.

“We have extended our fullest support to Kelly and the Optus management team as they work to minimise inconvenience and risk to customers,” a Singtel spokesman said.

Australian Privacy Foundation board member and UNSW Professor Graham Greenleaf said it was not well appreciated that current rules offer “a lot of opportunities for penalties and compensation” following the cyberattack, though he welcomed the pledges to make them stronger.

As well as fining Optus up to $2.1 million for any potential data breaches for not securing information or keeping too much information, he said the Information and Privacy Commissioner could allow individual complainants to launch class action-style litigation.

He said the costs to Optus could be “potentially very large” given almost 10 million customers were affected by the breach.

Maurice Blackburn, a major national law firm, has joined its rival Slater & Gordon in investigating a group claim against Optus over the breach.

Optus has consistently defended its cyber practices, saying it was the victim of a “sophisticated” attack despite the government viewing it as “quite basic”. It has said it is doing all it can to support customers and working with authorities on the investigation.

Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.

Most Viewed in Politics

From our partners

Source: Read Full Article