Posted on October 20, 2022
Rebecca Cameron
Cyber security is one of the latest buzz words, and deservingly so with up to 9.7 million Optus customers falling victim to a cyber-attack on 22 September 2022. While the full scale of the breach is yet to be determined, the attack resulted in the unauthorised disclosure of personal information including names, addresses, phone numbers and identification document numbers including drivers licences, Medicare and passport numbers.
Alarmingly, over 67,500 incidents of cyber security crimes were reported during the 2020-21 financial year, an increase of nearly 13 per cent from the previous year.[1]
The Australia Cyber Security Centre (ASCR) 2020-2021 annual report observed that fraud-related cybercrime – where actors use computers or online services to commit fraud – is the major threat for consumers, with the most prevalent sources of these frauds being generated from shopping online and online banking.
Abundantly clear is that cyber-security should be front of mind for all Australians and organisations.
On 11 October 2022, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into the personal handling practices of the Optus group in regard to the data breach. If the OAIC’s investigation reveals ‘serious and/or repeated’ interferences with privacy, the OAIC is empowered to seek penalties of up to $2.2million.
What can you do to protect yourself?
While penalties are likely to be imposed and legislative reform of privacy law is impending, there are steps you can be taking in the meantime to remain vigilant to cyber-security attacks. These include:
- securing and monitoring your devices and accounts regularly to identify unusual activity;
- ensuring apps are to up to date with the latest security updates; and
- enabling multi-factor authentication for all accounts.
What obligations do organisations owe consumers to protect against cyber-security risks?
Under the Corporations Act 2001 (Cth), Directors and AFS Licensees alike have duties of due diligence, to act honestly and fairly and owe obligations to have adequate risk management systems in place to handle cyber-security risks.
In the case of Optus, the OAIC’s investigations will assess whether the organisation took reasonable steps to protect the personal information they held from unauthorised use and disclosure and, whether the information collected and retained was necessary to carry out their business operations.
A similar test was adopted by Justice Rolfe in ASIC’s case against Australian financial services licensee RI Advice Group Pty Ltd in May 2022. In this case, Justice Rolfe made clear that the standard of cybersecurity risk management systems necessary for each AFS Licensee will be assessed by the reasonable adequacy of the system and the relevant technical expertise of the skilled person tasked with assessing risks faced by a business in respect of its operations and IT environment.
What steps can organisations take to uphold their obligations?
To be proactive in protecting against cyber-security risks, organisations should ensure:
- computer systems are up-to-date with the most current version of anti-virus software;
- emails are filtered or quarantined;
- back-up systems are in place and being regularly performed;
- access to systems and interfaces are adequately secured with relevant credentials or passwords;
- they act efficiently and take proactive steps to protect consumer information; and
- foster a culture of upholding good cybersecurity practices.
[1] Australian Cyber Security Centre, Australian Cyber Security Centre Annual Cyber Threat Report (Annual Report, 1 July 2020 to 30 June 2021) 8.
Recent Articles
News Categories
