Slow Laws in a Fast Age

Australian data protection laws appear to be enacted entirely in response to data breaches, with very few solutions being established proactively. The only solution that will adequately mitigate risk is to find a sustainable framework that holds corporations holding consumer data and responsible people within them accountable for successful attacks on their systems. This framework must be broad enough to cover all causes of breaches and impose a combination of deterrents and incentives while maintaining its relevance in an ever-advancing environment.

The Breach

A cyber attack on Optus in September 2022 led to almost 10 million people’s data being stolen, including details of their driver’s licences, passports and Medicare cards. [1], [2] 2.8 million people were put at risk of identity theft and exploitation for 100-point ID checks, as are often required for transactions such as bank loans and government-issued identity documents. [3] The breach was enabled by a coding error that facilitated ‘quite a basic hack’ according to the Minister for Cyber Security, the Hon Clare O’Neil MP. [4], [5] O’Neil also stated in an interview about the attack on Optus that ‘we’re about five years behind in cyber protections than where we should be’, highlighting the need for broader regulation. [6] The devastation caused by this and the Medibank attack (which occurred only a month later) undermines the trustworthiness of the law in protecting consumers of companies that are negligent in their cybersecurity practices.

Existing Approach

Legislators were reluctant to tighten security standards for telecommunications providers prior to the attack on Optus. [7] The approach of leaving these companies to regulate themselves with minimal oversight has proven to be ineffective, [8] as evidenced by the easily avoidable nature of the Optus breach. Laws regulating this industry following the breach, namely the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (‘the Amendment’), were only created as a reaction in support of impacted customers. [9] Enabling such support following a large breach was rightly the short-term priority of legislators, however, that was the only impact that the Amendment had. This sets the standard that should a corporation fail to protect consumer’s data, the government will only enact specific regulations that allow said company to react in the most effective manner possible. While this approach is valid in its own right, it fails to create a sustainable framework that prioritises strong cybersecurity infrastructure and practices that avoid substantial breaches in the first place.

New Approach

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (‘the Privacy Amendment’) increased the maximum penalty for a contravention of a civil penalty provision to the greater of $50,000,000, three times the value of the benefit gained by the conduct that led to the contravention, or 30% of the adjusted yearly turnover for the period in which the contravention occurred. [10] This was a strong first step as it shifted the main source of deterrence beyond using ongoing cases alone, such as the action currently being taken against Medibank by the Office of the Australian Information Commissioner (OAIC). The lack of legislation holding offending corporations accountable led the Acting Information Commissioner Elizabeth Tydd to use the Medibank action as ‘a wake-up call to Australian organisations to invest in their digital defences’. [11] The separation and division of powers in Australian law makes federal legislation the most sustainable form of deterrence and should thus be prioritised in data protection regulation over making examples out of ongoing cases.

The Accountability Principle

Despite wide acknowledgement of the insufficiency of current data protection laws, [12] there may be little further legal action that would effectively hold corporations accountable. Limited liability poses an obstacle in enacting legislation that has been effective elsewhere as rules founded in the accountability principle are among the most effective at enforcing data protection laws, as reflected in internal policies. [13] The principle involves delegating responsibility to specific people within a company to hold them accountable should there be a failure, motivating them to act in the consumers’ best interests. [14] This principle has been praised by experts, such as academics from Edinburgh Law School and UCLA, for its effectiveness in encouraging greater emphasis on cyber security within organisations that result in a reduction of breaches. [15], [16] The principle’s foundation in governance would also make it a sustainable solution as it requires internal standards to be set based on the structure of the corporation and what product it provides, reducing the ongoing need for specific regulations to be enacted by the Government.

Internal Cyber Culture

The best application of the accountability principle in Australia can be found in an organisation’s work culture. Companies that establish a strong internal culture of cybersecurity place a social contract on employees to not only avoid breaches caused by human error, but puts pressure on decision-makers to prioritise the privacy of customer data. [17] Individuals within organisations that hold this data are subsequently held accountable by the people sitting at the desk next to them instead of the Australian judiciary, creating clear and direct consequences for negligence. While the law is reluctant to dictate what a corporation’s internal culture should look like, the government may incentivise the establishment and maintenance of such culture. This may take the form of favourable tax treatment for expenditure on cybersecurity education, such as by offering to reduce the amount that a corporation is taxed by the amount spent on such education. While this does involve a decrease in government revenue, studies have found that strong organisational cultures and values show sustainable results. [18]

Australian law is unfortunately ill-equipped to maintain its relevance to a desirable extent in the ever-changing field of data protection. There are opportunities for the government that would complement existing legislation to create a framework that involves a balance of deterrents, incentives and support for victims. Such a framework has the potential to be broad enough to cover a range of cybersecurity attacks without the need to constantly change the law to keep up with technological advances, maintaining its relevance in our ever-changing world.

[1] Ben Knight, ‘Optus data breach class action launched for millions of Australian caught up in cyber attack’, Australian Broadcasting Corporation (online, 21 April 2023) <https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638>.

[2] Optus, ‘Optus update on Medicare ID Number’ (Media Release, 7 October 2022).

[3] Interview with Clare O’Neil (Laura Tingle, Australian Broadcasting Corporation, 26 September 2022).

[4] Hannah Murphy, ‘Optus cyber attack could have been prevented four years prior, says telecoms watchdog’, Australian Broadcasting Corporation (online, 20 June 2024).

[5] Interview with Clare O’Neil (Laura Tingle, Australian Broadcasting Corporation, 26 September 2022).

[6] Interview with Clare O’Neil (Laura Tingle, Australian Broadcasting Corporation, 26 September 2022).

[7] Parliamentary Joint Committee for Intelligence and Security, Federal Parliament, Background and previous bill review and operation of the legislation to date (Inquiry, May 2021) 2.49-2.53.

[8] Interview with Clare O’Neil (Laura Tingle, Australian Broadcasting Corporation, 26 September 2022).

[9] The Hon Michelle Rowland MP and The Hon Dr Jim Chalmers MP, ‘Changes to protect consumers following Optus data breach’ (Media release, 6 October 2022).

[10] Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) s14(3).

[11] Paul Smith, ‘Medibank faces maximum $21.5 trillion fine in new cyber hack case’, Australian Financial Review (online, 5 June 2024) <https://www.afr.com/technology/medibank-faces-maximum-21-5trn-fine-in-new-cyber-hack-case-20240605-p5jjeg>.

[12] Lauren Croft, ‘Data breaches will cost firms more than money’, Lawyers Weekly (online, 9 August 2023) <https://www.lawyersweekly.com.au/newlaw/37896-data-breaches-will-cost-firms-more-than-money#:~:text=Criminal%20threats%20aside%2C%20a%20cyber,value%20following%20a%20data%20breach>.

[13] Lachlan Urquhart and Jiahong Chen, ‘On the Principle of Accountability: Challenges for Smart Homes & Cybersecurity’ (Research Paper, 19 June 2020) 2.2.

[14] IBID

[15] Chris Jay Hoofnagle et al, ‘The European Union general data protection regulation: what is it and what it means’ (2019) 28(1) Information & Communications Technology Law 297, 8.

[16] Lachlan Urquhart and Jiahong Chen, ‘On the Principle of Accountability: Challenges for Smart Homes & Cybersecurity’ (Research Paper, 19 June 2020).

[17] Dan Blum, Rational Cybersecurity for Business (The Author(s), 2020).

[18] S. Sai Manohar and Shiv R. Pandit, ‘Core Values and Beliefs: A Study of Leading Innovative Organisations’ (2014) 125(4) Journal of Business Ethics 667.

This article was originally published under the title ‘Proactive Cybercriminals vs Reactive Laws: Digital Permanence and Data Breaches’ in The Brief Edition 3, 2024 — Ad Aeternitatem.