The Australian Computer Society (ACS) has backed up calls from the federal government to reform current privacy and cyber security laws following the breach of over 9 million Optus customer records.
On 28 September, Prime Minister Anthony Albanese said in Parliament that the breach of the data, which included drivers’ licence numbers and passport numbers, “should never have happened”.
“Clearly we need better national laws after a decade of inaction to manage the immense amounts of data collected by companies about Australians and clear consequences for when they do not manage it well,” he said.
This follows comments made by the Minister for Home Affairs and Cyber Security Clare O’Neil on ABC’s 7.30 that action needs to be taken to enforce a baseline when it comes to cyber security.
“We need to be looking at a variety of issues, including the powers that I have as Cyber Security Minister, to mandate minimum cyber security standards which could have prevented this from occurring.”
In response, the ACS said it agreed with the sentiments from Albanese and O’Neil on the need for revising privacy and cyber security laws.
“Over the past decade we have seen a range of security, data retention, money laundering and privacy legislation to address various problems with little co-ordination between those laws,” said ACS CEO Chris Vein.
“As a consequence, it has been difficult for organisation and technology professionals to follow best practice data management while complying with a myriad of conflicting legislation.
“ACS sees a review in light of the Optus breach as an opportunity to modernise Australia’s technology legislation framework with an aim of protecting all Australians while enabling the nation’s digital champions to compete globally.”
As to what the review must look at, ACS Cyber Security Committee chair Louay Ghashash said it must involve the enforcement of security best practices with “substantial” penalties for those that do not.
“There should be a push from the government to establish minimum standard best practice and require companies handling and dealing with sensitive data to implement, but this is a complex task; it will cause a huge burden on smaller companies to implement and comply, therefore this must be done using a consultative approach,” he said.
“The standard must be comprehensive enough to cover various types of threats and malicious acts, including companies’ internal staff behaviour and data handling. For instance, take Australian Cyber Security Centre’s Essential Eight requirements. Optus’ breach would probably still have happened even if they had implemented it, as Essential 8 requirements’ focus on malware and ransomware attacks and don’t cover handling sensitive data or exposing it to the internet.
“Additionally, we also have to consider the regulatory burden on companies where they are required to store vast amounts of personal and sensitive data to validate and identify customers in order to comply with legislation.”
As a suggestion, Ghashash said how payment gateway companies use tokenised payment instead of companies storing customer credit cards could be a model that companies could adapt for identification purposes.
“Rethinking legislative data collection requirements along with how that information is stored and handled would help reduce the risks of future events on the scale of what has happened to Optus,” he added.
“Finally, the financial penalties of companies mishandling users’ personal data should be high, prohibitive and commensurate with the size of the breach.”
The calls to reform cyber security laws come days after law firm Slater and Gordon announced it was investigating a potential class action case against Optus over the breach.