Attorney general flags urgent privacy law changes after Optus data breach

Privacy law changes, including tougher penalties for data breaches, could be legislated as early as this year, the attorney general has said in the wake of the Optus breach.

Mark Dreyfus revealed on Thursday that in addition to completing a review of Australia’s privacy laws the Albanese government will look to legislate “even more urgent reforms” late this year or in early 2023.

The suite of immediate reforms could include penalties, safeguards on personal information and strengthening requirements for companies to notify customers of breaches.

Labor has talked up the need for tougher laws since the Optus attack affected up to 10 million customers, including 2.8 million people who had their licence or passport number leaked.

The home affairs minister, Clare O’Neil, has suggested reforms will include increasing the maximum penalties for data breaches – currently capped at $2.2m – and extending a power to set minimum cybersecurity standards to telcos.

On Thursday, Dreyfus told Radio National that the foreign minister had written to Optus asking it to pay for Australians’ replacement passports and the prime minister had “made very clear … it is going to be a matter for Optus to pay for costs incurred by Australians as a result of the data breach that has occurred”.

Dreyfus said Australians were “rightly concerned” about the exposure of personal information, and warned Optus it expects “continuing cooperation” from the telco.

Asked about privacy law reforms, Dreyfus replied: “It is a matter of urgency. We need to bring privacy laws … up to date, [and make them] fit for purpose for the digital age.”

The attorney general said he hoped to complete a “long-running review” of privacy laws by the end of 2022.

“We are also looking at even more urgent reforms we can make straight away to the Privacy Act to do things like increasing the safeguards that are already there that relate to personal information, security guidelines, and strengthening the notifiable data breaches scheme.

“We’re looking at what can be brought to parliament in the remaining sitting weeks and if possible pass this year or, if not this year, then early next year.”

“It is clear we need to strengthen the Privacy Act,” he said, “and possibly one of those ways could be to increase penalties, so that in no way is a data breach just a cost of doing business but something boards know there [are] very, very serious consequences for if they fail to take care of the data”.

Earlier, Dreyfus told ABC News Breakfast that the Australian federal police “has been working with the FBI to try and track down the perpetrators”.

The government is asking Optus to share data with banks and financial institutions so they “can take precautions to protect those Optus customers whose data has been stolen”, he said.

Sign up to Guardian Australia’s Morning Mail

Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter

Privacy Notice: Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our Privacy Policy. We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply.

“What we can also do … is look at toughening the laws, particularly the Privacy Act, to possibly increase the penalties and … the precautions that have to be taken by any company that’s storing the data of Australians in the way that Optus was.”

Dreyfus said that “regrettably” Optus had omitted from its initial notification to customers that “some Medicare numbers in addition to passport numbers and driver’s licence numbers were included in the data breach”.

“That shouldn’t have happened. It’s really important that there be notification because it’s only [then] you can start to take the appropriate steps to guard against the consequences of a data breach like this.”

In a statement on Wednesday evening, Optus said it had identified 14,900 valid and unexpired Medicare ID numbers among the compromised customer records, as well as 22,000 expired numbers.

Customers with valid Medicare numbers will be contacted within 24 hours, and those with expired numbers in coming days.

Optus parent company Singtel on Wednesday said “we are deeply sorry to everyone affected by the data theft on our subsidiary Optus”.

“Singtel management and board are treating this incident very seriously and working closely with Optus to address what is a complex issue, holistically,” the company said in a statement.