Australia may have tough new data protection laws in place this year in an urgent response to a cyber attack that stole the personal data of 9.8 million customers, the Australian attorney general said Thursday.
Attorney General Mark Dreyfus said the government will make “urgent reforms” to the privacy law after Unprecedented hack last week on OptusAustralia’s second largest wireless carrier.
“I think it is possible” that the law could be changed in the remaining four weeks Parliament is due to convene this year, Dreyfus said.
“I will be looking seriously over the next four weeks about whether we can bring privacy law reforms to Parliament before the end of the year,” Dreyfus told reporters. The next parliament convenes on October 25.
Dreyfus said penalties for failure to protect personal data should be increased so that corporate boards cannot dismiss fines as “the cost of doing business.”
“The extremely large amounts of customer data companies held for years should be justified under the amended law,” Dreyfus said.
“Companies have to look at data storage not as an asset, but as a potential liability or responsibility,” Dreyfuss said. “For far too long, we’ve had companies that just look at data as an asset that can be used commercially.”
The government blames lax cybersecurity at Optus, a subsidiary of Singapore Telecommunication Ltd. , also known as Singtel, to steal personal information of current and former customers.
In a statement released on Wednesday, Singtel apologized to its management, saying, “We deeply regret everyone affected by the data theft.”
“Since the incident, our focus has been to support Optus’ efforts to assist affected customers and strengthen their security controls,” the statement said.
“Information security is of paramount importance to the Singtel Group and a top priority across all of its business units, and we are investing significant resources to continually strengthen our defenses against emerging threats,” the statement added.
Data included Passport, Driver’s License and National Healthcare Identification Numbers Which can be used for identity theft and fraud.
Authorities are criticizing Optus’ initial failure to disclose that Medicare numbers were among the data stolen. That became apparent Tuesday when the hacker dumped the logs of 10,000 customers onto the dark web — six days after Optus discovered the cyber attack.
The urgent legislative response is separate from the broader review of the privacy law that began three years ago. The law was passed in 1988 and critics say it desperately needs to adapt to the digital age.
The government said Optus could be fined a maximum of A$2 million ($1.3 million) for breaching the privacy law.
The government said it could be fined hundreds of millions of dollars for a similar security breach under European Union laws.
Applications to review the Privacy Act have proposed penalties for violations equal to 10% of revenue from Australian operations.
Optus CEO Kelly Bayer Rosmarin has argued against increasing fines, telling the Australian Broadcasting Corporation on Tuesday: “Frankly, I’m not sure what sanctions are benefiting anyone.”
Optus maintains that it was the target of a sophisticated cyber attack that breached several layers of security.
After an emergency meeting with bank regulators and consumers, Financial Services Secretary Stephen Jones said “scammers” and “scammers” have already started using stolen data, which includes phone numbers and email addresses.
With personal information stolen from 38% of Australia’s 26 million residents in the hack, Jones said, “You cannot overstate the impact of this breach on consumer issues.”
Optus hackers are warned not to activate the URLs they receive by text or email as they may be from criminals trying to steal more information.
“We are all doing the best we can to try and work our way through the long tail of problems that will be the result of this massive data breach,” Jones said.
#Australia #introduces #strict #data #protection #laws #year