Optus cyber attack - fallout and lessons
The recent cyber attack on Optus and its reported loss of 9.8m customer records has shone the light on the potential fallout for companies who become victim of a significant cyber security incident.
In response to the attack, Home Affairs Minister Clare O’Neill has flagged ‘substantial reform’ in this area, including significant increased penalties for companies who breach data security requirements.
It has also been reported that the attack is likely to prompt changes requiring that banks and other financial institutions be informed immediately by businesses about significant data breaches affecting their customers.
It remains to be seen whether the Albanese Government will reintroduce (either in its previous form or an adapted form) the lapsed Ransomware Payments Bill 2021 (No. 2) (Cth), which sought to establish a mandatory reporting requirement for entities who make a ransomware payment.
Lessons for the business community
As the fallout from the Optus data breach continues, it is timely for all organisations to reflect and review on their reporting obligations should your business suffer a serious cyber attack.
Depending on the nature and scale of your business, you may be subject to one or more of the following reporting regimes.
Security of Critical Infrastructure Act
Entities responsible for critical infrastructure assets are required to report cyber security incidents to the Australian Cyber Security Centre (ACSC):
- within 12 hours – for incidents having a significant impact on the availability of the asset; or
- within 72 hours – for incidents having a relevant impact on the availability of the asset.
‘Critical infrastructure assets’ include certain assets within the following sectors:
- data storage or processing;
- financial services and markets;
- food and grocery;
- health care and medical;
- higher education and research;
- space technology;
- transport; and
- water and sewerage.
Businesses covered by the Privacy Act have obligations to report eligible data breaches:
- to the Office of the Information Commissioner (OAIC) – as soon as practicable after the business becomes aware of it; and
- to individuals who may be adversely affected by a breach – as soon as practicable after notification to the OAIC.
‘Eligible data breaches’ are breaches that are likely to result in serious harm to the individuals to whom the information relates.
APRA or ASIC requirements
Other reporting obligations may arise for APRA and ASIC-regulated entities, including:
- under the breach reporting regime for AFSL holders – for example, if there has been a significant breach of a core obligation;
- under CPS 234 for APRA-regulated entities – entities must notify APRA as soon as practicable and within 72 hours after becoming aware of an information security incident that materially affects the entity or interests of relevant stakeholders, or that has been notified to other regulators.
Contractual reporting obligations
Suppliers of goods and/or services should take note of any mandatory notification obligations under contractual arrangements with counterparties – for example, a requirement to immediately notify the client if the supplier becomes aware of a breach or potential breach of security of any client data held by the supplier.
Businesses who are not subject to mandatory reporting regimes should also review their readiness and responsiveness to cyber attacks, including a review of the bodies to whom the business might wish to report a significant cyber attack – such as the ACSC and/or the AFP.
This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.
Cyber Alliance Group
Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.