Optus data breach and monitoring by APRA-regulated entities

The Treasurer has announced that the Government proposes to amend the Telecommunications Regulations 2021 to enable Optus and other telecommunications companies to temporarily share approved government identifier information (such as driver’s licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach. Background.

In addition, Optus will be able to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud.

UPDATE: The Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 was registered on 11 October 2022.

The proposed regulations will be limited as follows:

  • The regulations cover financial institutions that are regulated by APRA, excluding branches of foreign banks;
  • The Communications Minister has the ability to specify additional services entities, if required, but only for entities that are related to or support an APRA-regulated entity;
  • Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identity theft;
  • Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate;
  • Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data;
  • Information received must be destroyed once it is no longer required.

APRA says that the process to receive data from Optus includes the following steps:

  • financial services entities provide written attestation to APRA that the data will be managed in accordance with Prudential Standard CPS 234 Information Security.
  • Any data shared can only be used for the purposes of implementing enhanced monitoring and safeguards for customers affected by the data breach.
  • Entities will also need to provide written commitments to ACCC that they will comply with Privacy Act obligations.
  • Once an entity has complied with these requests, it would work with Optus to facilitate access to the data.

ACCC information on applications for access

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.