It has been two weeks since news broke of the Optus data breach, perhaps the largest ever in Australia, hitting nearly 10 million current and former customers of the country’s second-biggest telco.
For 9.8 million Australians, there is fear and uncertainty about how exposed they are to scams, identity fraud and other personal harm. This argument doesn’t wash, and it provides precious little comfort to nearly 10 million Australians whose data was exposed.Regardless of why companies collect customer data – whether to fulfil “know your customer” regulations, under metadata retention laws, for marketing purposes or anywhere in between – once they collect it, they must keep it safe and handle it responsibly.
Success or failure of the government’s privacy reform agenda will be measured on whether the government can set a clear market signal about what personal information is worth, so that companies can quantify – and price in – the risk of data mishandling. Under current laws, the maximum fine the Information and Privacy Commissioner can issue for a data breach is $2.2 million. This is a fractional amount of the loss incurred by customers in incidents such as the Optus breach.To oversee an upgraded regulatory regime, and effectively police it, Australia also needs a well-resourced regulator – with teeth.