Create a free account, or log in

OAIC and ACMA investigate Optus breach, putting telco in line to pay billions in compensation

A leading technology and regulation lawyer says Optus is likely to feel more financial pain from being forced to compensate data breach victims than from fines available under the Privacy Act.
Julian Bajkowski
Julian Bajkowski
optus data boost mobile outage
Source: AAP Image/ Bianca De Marchi

One of Australia’s leading technology and regulation lawyers says besieged carrier Optus is likely to feel more financial pain from being forced to compensate data breach victims than from fines available under the Privacy Act in the wake of one of Australia’s biggest corporate data spills.

The Office of the Information Commissioner (OAIC) on Tuesday revealed it has launched an own-motion investigation into the Optus data breach in conjunction with the telco regulator the Australian Communications and Media Agency (ACMA), a move that puts the carrier on a path to prosecution if adverse findings are delivered.

“The OAIC’s investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business,” the OAIC said.

“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of one or more individuals has occurred the Commissioner may make a determination that can include requiring the Optus companies to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage.”

With political anger over the massive data spill continuing to run hot, policymakers appear keener than ever to ensure regulators can extract penalties that are sufficient enough to act as a material deterrent to other telcos and corporates sloppily hoarding data.

Australia’s two biggest banks, CBA and Westpac have recently between them sacrificed more than $2 billion in fines courtesy of anti-money laundering agency AUSTRAC; however, the fines Opus is likely to face are far smaller.

“There are two main possible breaches: a breach of the security obligations surrounding personal information, and a breach of the retention obligations,” Gilbert and Tobin partner Simon Burns told The Mandarin.

“It hasn’t really been tested in the courts, but it’s likely the maximum fines of $2.22 million will be applied on a per “act or practice” basis, ie., per breach. It’s unlikely the fines would be specifically multiplied by each individual affected.”

That essentially caps out at around $4.4 million against Optus’ revenue of around $7.8 billion a year.

If the fines were applied per individual, the calculation would be of literally astronomical proportions, with $2.2 million fines multiplied by 10 million customers totalling $22,000,000,000,000, or $22,000 trillion — about 275 times the size of the world economy.

Gilbert and Tobin’s Burns reckons the real financial rub for Optus could come from compensation for the clean-up bill for affected individuals. Both state and federal governments have demanded Optus pay to roll over customer credentials that have been compromised.

“The bigger risk is the compensation orders, because these often need to be paid to each impacted individual. So you do get the multiplier effect,” Burns said.

Typically these have been in the range of up to $5,000-$20,000 per individual, depending on the damage suffered,” Burns said. “That is potentially a very big number.”

It does add up quickly. At the lower end of that range, just 100,000 customers getting $5000 adds up to $500 million, putting a compo bill in the billions easily in range.

Litigation funders and law firms are already circling.

Maurice Blackburn is already taking registrations in for its potential class action against Optus “over a major customer data breach involving millions of current and former Optus account holders”.

“Registration is free. You do not need to pay anything to register for or participate in the potential class action,” the law firm said.

This article was first published by The Mandarin.