Although privacy reform has been on the agenda for some time, he told Lawyers Weekly, this incident involving one of Australia’s biggest telcos will likely be the landmark moment where Australia’s privacy data protection laws are changed — “and this will drastically impact the Australian corporate sector”, he espoused.

Already, Optus is facing two potential class actions, reported by Lawyers Weekly here and here. And, earlier on Tuesday, 11 October, the Office of the Australian Information Commissioner (OAIC) launched its own investigation into the personal information-handling practices of Singtel Optus, Optus Mobile, and Optus Internet in relation to the breach.

Lessons

There are many lessons to be learned from the Optus attack, Mr Winokur outlined.

“The incident has shone a light on the reality that any organisation can be impacted by a cyber attack. While cyber risk cannot be reduced to zero, there are steps that can be taken to mitigate that risk,” he said.

“Transparency is paramount when it comes to incident response. Customers should be communicated with directly and clearly, not find out about an incident in the media.”

Getting the incident response right, Mr Winokur continued, is critically important.

VIEW ALL

“This includes undertaking investigations, gathering facts and providing clear, accurate and helpful communications to all stakeholders,” he said.

It is arguable, he reflected, that Optus’ incident response may not have been executed in a way that meets the expectations of the government, Optus customers or the community.

“Various things being pointed to include that Optus should not have: told the public that the attack was sophisticated when it appears not to be; required customers to contact Optus to ask what of their data was impacted; or required customers to proactively seek compensation for credit monitoring or to replace identification cards impacted by the incident, which was initially rejected,” he said.

Optus should have, he listed, “proactively offered credit monitoring and identity protection services immediately to those whose government identification cards were impacted, not a few days after the attack became public and only after [Home Affairs] Minister O’Neil demanded it on the floor of Parliament; immediately reached out to federal and state governments about finding a way to streamline the reissuing of impacted identification cards, rather than it taking around a week to occur; and told customers exactly what type of data was impacted from the beginning, rather than finding out almost a week later that Medicare cards were impacted”.

The Australian government has also flagged potentially fast-tracking new data breach notification rules, Mr Winokur explained, to ensure better oversight of suspicious activity, such as compelling organisations to notify banks as soon as possible after becoming aware of a cyber attack.

Elsewhere, demand for cyber insurance may increase, particularly with privacy reform on the horizon, he suggested.

“Cyber insurers may face greater exposure if the predicted changes to the Privacy Act come into effect. In an already hardened market, Privacy Act reform may lead to higher premiums, lower policy limits and a more stringent screening process by insurers for prospective customers.

“Notwithstanding these potential changes, significantly higher potential penalties may change the risk dynamic for companies assessing whether to obtain cyber insurance, and companies that previously decided against purchasing this insurance may now reassess that decision,” he said.

Steps to take

There are a number of immediate steps that organisations must take, Mr Winokur detailed, to ensure that they are not the next Optus and that if they are attacked, they are able to respond in an effective manner.

These include, he listed, “making inquiries of internal or external IT providers about the security of the organisation’s systems (and don’t just accept that everything is secure)”.

“It is important that organisations carry out testing with IT experts to try to break their systems and identify vulnerabilities,” he said.

Corporates should also be properly assessing how the organisation would respond to a major data breach or cyber security incident, Mr Winokur noted.

“This includes engaging lawyers with expertise in cyber law to ensure the organisation has a robust incident response plan to deploy if it becomes the subject of a cyber attack,” he said.

“A good incident response plan includes identifying the group within and external to the organisation responsible for the response, understanding legal obligations, a clear communication strategy for all stakeholders (including customers or clients) and assessing the types of decisions an organisation may need to make if an incident occurs — including taking a position on issues like a ransom demand.”

They should also be analysing and considering the types of personal information it collects, he went on.

“This includes only collecting personal information necessary for its functions and activities and ensuring that the organisation has a data retention policy that involves the deletion or de-identification of data in accordance with regulatory obligations set out in the Privacy Act,” he said.

Finally, Mr Winokur said, they should be ensuring that staff are properly trained to prioritise cyber risk and privacy law compliance. Probably all cyber attacks, he mused, involve some element of human error.