There has been much written about the recent ransom attack on Optus after it revealed that the information of between 3 and 10 million (depending on the report) current and former customers had been compromised.
In the wake of this attack, there have been calls from political parties, consumer advocates and other bodies for law reform and harsher penalties for companies in the position of Optus. This update untangles those proposals and explains whether they would change the outcomes for Australian businesses that find themselves subject to a similar attack.
Ransomware specific legislation
The Shadow Minister for Home Affairs tabled a private member’s bill in Parliament on Monday, 26 September 2022, titled the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Coalition Bill).
The Coalition was able to act so quickly because the Coalition Bill is a re-introduction of the bill which it introduced whilst in Government in February 2022. Competing legislative priorities meant that the initially introduced bill was not passed prior to the election.
If it was now to be passed, the Coalition Bill would introduce:
- new criminal offences for cyber attackers (such as a standalone offence for any form of cyber extortion using ransomware);
- new powers for enforcement authorities (such as allowing them to freeze or seize cryptocurrency assets); and
- new maximum penalties ranging from 5 to 25 years imprisonment for those convicted of cyber crimes.
We note that the Coalition Bill would impact only on the perpetrators of the ransomware attack, and not on Optus (or a company in Optus’ position) directly. In that sense, it is not a response to the current call for more focus on the potential targets of these attacks.
In any event, the perpetrators of the Optus attack would already have committed numerous offences to date (and will commit more if they follow through on the threat to sell Optus’ customers’ data), which the Australian Federal Police has launched ‘Operation Hurricane’ to investigate. It is unclear, therefore, whether the passage of the Coalition Bill would have been a material deterrence for either perpetrator or target in this instance.
Added to that, history tells us that the prospects of any private member’s bill being passed in Federal Parliament are poor.
More ransomware specific legislation
If the Labor Government feels under pressure to take action or wanted to counter the Coalition Bill with one of its own, it could consider reviving the Ransomware Payments Bill 2021 (No. 2) (Labor Bill) which it also introduced as a private member’s bill from opposition in 2021.
The Labor Bill proposed a mandatory reporting requirement for companies (other than small businesses) that suffer ransom attacks. Under the proposed regime, companies would be obliged to notify the Australian Cyber Security Centre (ACSC) before making a ransom payment. The idea was that the ACSC would use the information it receives to better identify threats, to share information with law enforcement and to track the effectiveness of cybersecurity policies.
Being a private member’s bill, the Labor Bill was held up by the previous government. The Optus attack may provide renewed impetus for the Government to now be seen to be taking further action.
However, we question whether it would have changed much in the current scenario – from what we can glean publicly, Optus appears to have notified and worked with the Government. In any event, the telecommunications sector version of the Security of Critical Infrastructure Act 2018 (Cth) incident notification requirements, which were effected by way of a new carrier licence condition, may have already required Optus to mandatorily notify the cyber attack to the Australian Signals Directorate (even if not of the ransomware demand specifically).
Privacy Act penalties
While it might come as no surprise to privacy practitioners, it is entirely possible that the Optus ‘breach’ has occurred without any breach of the Privacy Act 1988 (Cth) (Privacy Act) on the part of Optus. While Australian Privacy Principle (APP) 11 imposes on Optus (and all regulated ‘APP entities’) the obligation to take reasonable steps to protect personal information from unauthorised access or disclosure, this is a ‘reasonable steps’ obligation only. The fact of the attack does not necessarily imply that Optus’ protection of its systems did not comply with what was required of it from a statutory perspective. Unless the stories of possible negligence in opening the API to attack are substantiated, Optus may not have breached APP 11.
The Telecommunication Sector Security Reforms, which were introduced in 2018, do require a slightly higher standard of obligation from a telecommunications operator. These reforms require carriers to “do their best” to protect telecommunications networks and facilities from unauthorised interference or unauthorised access. This includes a requirement to maintain ‘competent supervision’ and ‘effective control’ over telecommunications networks and facilities. However, there is a strong likelihood that these obligations do not extend to the type of system and customer database that were accessed in the current attack.
Regardless, there is no doubt that the Optus attack will strengthen calls to increase the penalties under the Privacy Act. Currently, the maximum penalty available under the Privacy Act is $2.22 million, and that will only apply in cases of serious or repeated breaches of privacy. This is well below the level of penalties we have seen imposed overseas, particularly in the EU for data breaches.
The previous Coalition government announced (pre-election) in 2019 that it would increase the penalty to the greater of:
- $10 million; and
- three times the value of any benefit obtained (directly or indirectly) from the contravention; or
- if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.
This would be same maximum penalty as currently applies under the Australian Consumer Law.
Despite being announced in 2019, legislation to implement this penalty was not introduced until November 2021 and, as a result (along with other factors), was not passed prior to the election this year. Given that Labor was supportive of the increased penalties when in opposition, now may be the time when we see an appetite to progress these changes, albeit they are potentially bound up in the wider reform agenda for the Privacy Act.
Privacy law reforms
The Optus attack takes place against the backdrop of the ongoing review and potential reform of the Privacy Act. The review, which was announced in 2019, has already gone through two rounds of public consultation, on a number of proposals which have the potential to reshape Australia’s privacy landscape.
One of the key topics of debate in the review is whether individuals should have a direct right of action in respect of privacy breaches. Presently, the Privacy Act is administered and enforced by the Privacy Commissioner (part of the Office of the Australian Information Commissioner). Importantly, individuals currently have no ability to bring actions (including class actions) directly against entities that have breached the APPs in the Privacy Act.
Moreover, there is no clearly recognised tort of invasion of privacy or similar remedy available under the common law. It has been difficult to bring common law rights of action for interferences with privacy in the past – particularly interferences which involve information or data (as opposed to an individual’s physical self). The common law generally protects privacy only as a by-product of protecting interests for which there is more clear legal recognition, such as confidentiality or breaches of contract. In light of this, in the latest Privacy Act Review Discussion Paper the proposal for a statutory tort of privacy was still on the cards. This proposal gained impetus most recently as a result of the ACCC’s recommendations in the Digital Platforms Inquiry (see our previous article, 'Groundhog Day for Privacy Tort', for more).
The common theme of much of the reporting of the Optus breach is that individuals want a remedy, and at least to be able to cover their costs of taking protective action. This might be the impetus that is needed for these reforms.
Proposal of obligation to notify banks
Finally, in the days following the attack, the media has given considerable attention to an apparent proposal by The Government to require Optus and other compromised companies to notify banks and financial institutions about the attacks. The purpose seems to be to enable banks to increase their fraud monitoring controls for the accounts of potentially impacted individuals.
For its part, Optus has said it will provide 12 months of fraud monitoring for individuals who have been worst affected by the attack. It has also announced that it will pay for replacement drivers’ licences where details have been published.
At the time of going to print, there are very few details available about this proposal, and it is unclear whether the Government is seeking to implement its plan by way of new legislation, amendments to existing regimes, new policies or otherwise. We have heard little from the banks about whether they would find this useful or practical.
It was always only a matter of time before an attack of this scale occurred in Australia. The increase in ransomware as an industry means that all businesses are vulnerable. According to a report published in 2022 by product vendor, Sophos, 66% of organisations worldwide were hit by some kind of ransomware attack in 2021, which represented a 78% rise from the previous year. In Australia specifically, 80% of businesses were attacked. Whilst it is likely that we will see reform in the not too distant future to increase penalties under the Privacy Act and, potentially, the rights of individuals, these will focus on businesses who are not taking the right steps to protect the data in the first place. Preparedness will be key.
Authors: Melissa Fai, Lesley Sutton, Mark Ferguson, Reuben Challis