The cyber attack and subsequent hack of the personal information of millions of Optus customers is a timely reminder that many SMEs, including law firms, are “sitting ducks” when it comes to such attacks. As a result, reform to data privacy laws is needed, lawyers have told Lawyers Weekly.

Such reform is likely a sure bet at this point. Hall & Wilcox partner and head of cyber Eden Winokur said in conversation with Lawyers Weekly that the Optus breach would “be the pivotal moment that leads to privacy law regulation in Australia”.

“Although privacy reform has been on the agenda for some time, this will likely be the landmark moment where Australia’s privacy data protection laws are changed — and this will drastically impact the Australian corporate sector,” he proclaimed.

Government support for reform

As Attorney-General Mark Dreyfus KC noted back in June, the Albanese government intends to move on reforms to privacy law during this term of Parliament and that “sweeping reforms are needed” to the Privacy Act in order to ensure that the legislation is fit for purpose in the digital age.

Global law firm King & Wood Mallesons this week released its Privacy Annual Update 2022, discussing the “somewhat slow-moving” consultation on the Privacy Act Review Discussion Paper, released in October last year, which received hundreds of submissions currently under review by the A-G’s Department.

“We don’t think it will be too long until we see some more concrete reform proposals released for public consideration,” the firm suggested.

VIEW ALL

On the question of whether the change of government will see a change in approach on such law reform, the firm concluded: “Given the broad, bipartisan support for the reform process before the election, it seems unlikely there will be any dramatic change in direction.”

Reform to be expedited?

Looking across the landscape, there has been much discussion, Mr Winokur mused, about reforms to the Privacy Act.

The major change is a proposal, he said, to significantly increase the maximum penalty that can be levied under the Privacy Act from just over $2 million to the greater of $10 million, three times the benefit of the misconduct, or 10 per cent of the organisation’s annual domestic turnover.

“Increasing the maximum penalty for breaches of the Privacy Act to 10 per cent of an organisation’s annual domestic turnover would have the single most significant impact of any reform in changing organisational behaviour around cyber risk,” he noted.

“This is because fines of that magnitude could materially impact the financial viability or profits of organisations.”

“In the Optus attack, such a change would effectively empower the Office of the Australian Information Commissioner to pursue a penalty against Optus of up to $780 million for the incident,” he explained.

“The Australian government is acutely aware of this issue. Cyber Security and Home Affairs Minister Clare O’Neil said the Optus cyber attack has underlined the need for much harsher penalties for organisations failing to properly protect personal data: ‘I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars’.”

Is a statutory privacy cause of action on the cards?

Whether individuals should be able to initiate proceedings for breaches of privacy has “long been a topic of hot debate”, KWM wrote.

There is still, the firm said in its report, a strong and significant divergence in views on this question.

“Perhaps understandably, given the broader context of the ongoing growth in class actions and the way privacy is being viewed increasingly through a consumer protection lens, industry submissions were generally strongly opposed to either a direct right of action under the Privacy Act or the introduction of a new statutory tort,” it said.

The Office of the Australian Information Commissioner (OAIC) has taken a nuanced view, KWM outlined, proposing the introduction of both a statutory tort and a direct right of action under the Privacy Act, “but with the direct right of action being subject to a complaint first being made to, and assessed for conciliation by, the OAIC or a recognised dispute resolution scheme (such as an industry ombudsman)”.

“Under the OAIC’s approach, complainants would be able to initiate action in a federal court where the matter is deemed unsuitable for conciliation, conciliation has failed, or the complainant chooses not to pursue conciliation,” the firm listed.

“The complainant would also need to seek leave of the court to make the application. The OAIC would also have the ability to appear as amicus curiae to provide expert evidence at the request of the court.”

These recommendations, KWM submitted, reflect the need to balance the desire to empower individuals to take control of their privacy interests “against the risk of opening the litigation floodgates”, it said.

Investigation by OAIC

With regards to Optus, Mr Winokur added, the telco giant may be facing an investigation by the Office of the Australian Information Commissioner (OAIC).

“The Privacy Act contains 13 Australian Privacy Principles (APP), which organisations (that are not ‘small businesses’) must adhere to in relation to the collection, use, disclosure, storage and management of personal information,” he detailed.

“These include obligations to take steps that are reasonable in the circumstances to protect the personal information held from misuse and unauthorised access or disclosure (APP 11 – security of personal information).”

Based on known information, Mr Winokur stated, it is difficult to see how Optus will avoid a finding that it has breached APP 11 in relation to protecting information from unauthorised access.

“While the OAIC has to date been judicious in pursuing penalties against organisations that suffer cyber attacks, given the enormity of impacted individuals in this circumstance, it may not be surprising to see the OAIC seek a monetary penalty against Optus,” he advised.

And as Australian privacy commissioner Angelene Falk told ABC Radio: “We all need to provide our data every day in order to receive goods and services.

“We need to be able to expect that organisations keep that data safe, and when they don’t, that they will face significant penalties for failing to do so.”