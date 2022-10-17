The cyber attack on Optus has put the spotlight on a legal quirk that means corporations don’t have to tell anyone they’ve been hacked.

A spokesperson for attorney-general Mark Dreyfus told Crikey (sister publication of The Mandarin) the federal government is considering plugging the loophole, which allows organisations that have been hacked to keep it a secret.

“Millions and millions of Australians have been affected by the Optus data hack and are rightly concerned about the loss of their personal information,” the spokesman said.

“The Albanese government is committed to protecting the personal information of Australians.”

The rules about when organisations have to disclose a hack has occurred are spelled out in the Notifiable Data Breaches scheme.

Under the scheme, companies are only required to tell the Office of the Australian Information Commissioner and hack victims a breach has occurred if it’s deemed “eligible”.

But in order for a breach to be eligible, it has to meet certain criteria, including that the organisation that was targeted “has been unable to prevent the likely risk of serious harm with remedial action”.

The breach must also have involved unauthorised access to personal information, and be likely to result in serious harm to the individuals whose data was accessed, in order to be subject to mandatory reporting.

“There is huge scope for organisational judgement about disclosures … Public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker told Crikey.

The pair have been trying to establish a database of hacks and have found the task near-impossible because there is no central hub of information.

“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues,” they said.

The attorney-general’s spokesperson said Dreyfus would consider “strengthening the Notifiable Data Breaches scheme in response to the Optus incident and as part of the Privacy Act review due to be completed by the end of this year”.

The review of the legislation, which took force in 1988, was initiated by the former government in 2020.

Dreyfus told the National Press Club last week that bringing the review of the Act to a conclusion would be one of his goals in his first year as attorney-general.

“We have a very outdated piece of legislation in the Privacy Act,” Dreyfus said.

The review will inform an “overhaul” of the Privacy Act next year, Dreyfus’ office said.

The attorney-general also wants to see stiffer penalties for companies that incorrectly store data than today’s maximum fine, which sits at just above $2 million.

A recent report from the OAIC said 71% of hacks affect less than 100 people, meaning most hacks that happen are likely to fly under the radar even though they may have significant impacts on victims.

The massive hack on Optus, which affected millions of customers, has been followed by other high-profile cyber incidents in recent weeks.

They include an attack targeting MyDeal, an online shopping website owned by grocery giant Woolworths Group, which confirmed at the weekend 2.2 million customers had been impacted.

READ MORE:

Optus facing billions in compo as OAIC prosecution looms