Australia: Optus data breach: Lessons for CEOs, Legal Counsel and Chief Risk Officers

While the media adds further information and details about the Optus data breach each day, there are some key lessons that organisations can learn which go beyond merely cybersecurity hygiene. In this article, we put a spotlight on the broader governance and risk issues that also need attention.

Risk processes – do your actions align with your risk appetite?

It is trite to say that the corporate material of just about every organisation will say "cybersecurity is important" to it. Similarly, just about every privacy policy begins with words such as "your privacy is important to us". However, there is a question of whether the organisation's investment in risk processes actually aligns with the stated risk appetite.

While we have no insight into the situation at Optus, we do have the report from the NSW Auditor-General on how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cybersecurity risks from July 2021 and the issues they had where high-risk known vulnerabilities cybersecurity appeared on risk registers over several years with no budget being allocated to that known risk. Lack of budget allocation and investment in remediating known issues is itself a key risk.

Organisations without an internal process that aligns with their documented risk appetite may face regulators and other stakeholders using that documented anomaly for the purpose of extracting penalties and/or compensation.

Similar deficiencies were also called out by the NSW Auditor-General in relation to their review into the effectiveness of Service NSW's handling of customers' personal information to ensure its privacy released in December 2020. One of the issues in that report was that responsibility and reporting lines did not match up so key oversight was missing. While it is clear that a Chief Financial Officer is responsible for finance and there is a clear reporting line and sufficient staffing, and a Chief Information Officer is responsible for organisational information and systems, the risk of privacy compliance is often one that is not subject to the same degree of C-suite attention – we discuss why below.

Learn from your own past mistakes

While media attention is focusing on the current Optus event as a cybersecurity incident, it is also a breach of the Privacy Act and SingTel Optus has the rare honour of being the first company in Australia to agree on an enforceable undertaking (EU) for breach of the Privacy Act in March 2015.

At that time, there were three breach incidents that gave rise to the regulatory intervention and the EU. In summary, they were:

• a coding error that published approximately 122,000 (silent) telephone number listings as public on an online directory
• Optus had left the management ports for its modems open with no change to the factory default setting and some 300,000 of the modems that were distributed to customers were open to hacking as the default password had not been changed
• an incident in their security processes allowed individuals to retrieve voicemail from outside the Optus network without password access.

The EU involved Optus needing to undertake a number of reviews of its systems by independent third parties, have the recommendations of the reviews implemented and then have the implemented changes certified by a further third party, all within an 18-month timeframe.

Having been through this exercise, one might have thought that Optus would have a robust process for assessing, on a risk basis, new projects and would foresee and hence guard against some of the issues that appear to have occurred in the most recent breach.

The Optus EU in 2015 involved an 18-month period. Increasingly, regulators are imposing EUs which cover three years as a minimum and involve sharing results of independent reviews directly with the regulator. A likelihood many organisations would seek to avoid.

Risks assessments and privacy impact assessments

The Optus breach calls into question the need for organisations to have processes that are clearly documented to undertake risk assessments and in particular, privacy impact assessments (PIAs) of processes and procedures when they are first implemented or later changed.

Given that some of the identity documents that have been hacked at Optus appear to be out of date and that these details were retained for a long time, arguably longer than they were reasonably required to be held by the business, as is the limitation under the Privacy Act, there was no documented procedure to ask the question of data retention and destruction or deletion and deal with this issue.

Organisations should consider even short-form PIAs to uncover these types of risks when either a new process is being implemented or an existing process is being changed. Finding the problem at the design phase is far less costly than remediating a problem later.

One of the issues that became apparent from the Auditor-General's review of Service NSW was that when existing systems and legacy arrangements were asked to do more and take on more complex information, no PIA was undertaken and hence the risk of overloading the system or of an existing system not being up to the task of the information it was asked to retain in terms of security and access, was missed as part of the risk process.

Underestimating regulatory risk

There is an old saying that the best interest is self-interest. One risk for companies in allocating priority to matters of privacy and potential data breaches is that the regulator, the Office of the Australian Information Commissioner (OAIC), is underfunded and that the fines that it can impose are small by comparison to other regulators such as ASIC and ACCC. They, in contrast, can also impose personal civil and criminal sanctions on officers, including banning orders. Hence, the perceived risk of action by the OAIC is likely to be low.

However, there are two facts that mitigate against complacency. Firstly, the review of the Privacy Act is considering increasing penalties to bring them into line with those imposed by the ACCC. Secondly, even if those changes are delayed, we have seen since the digital platforms enquiry and the move into open banking with the advent of the consumer data right that there can be co-regulation as between the ACCC and the OAIC and that raises the potential for higher penalties.

Holding Redlich regularly assists management and boards with implementing, reviewing and uplifting privacy and data governance processes. We can also assist in data governance and breach management processes, and management training.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.