Key Points
- The federal government has announced new regulations for telcos following a massive Optus data breach.
- The reforms will allow companies to share customer data with financial institutions to prevent fraud.
The federal government has announced new regulations for telecommunications companies following , which resulted in millions of customers' personal information being accessed.
Under the new regulations, Communications Minister Michelle Rowland said information from affected companies could be shared with financial institutions when required to prevent or respond to cyber security incidents, and must then be destroyed.
Here's what we know so far, and what it means for consumers.
Sharing data to protect customers
On Thursday, Ms Rowland said the reforms aim to protect customers and enable better detection of fraud.
Currently, companies cannot legally share customers' information with financial institutions, meaning Optus was not able to directly communicate with banks to warn them which accounts scammers might target.
Now, this will change.
"What we are going to do is amend the telecommunications regulations to do two things - this is going to enable Optus and other telcos to better coordinate with financial institutions to detect and mitigate the risks of malicious activity, including ID theft and scams," Ms Rowland said.
"And the second is to allow Optus to share limited information about customers with government agencies like Services Australia to assist in preventing fraud.
Financial services entities who will be eligible to receive the data must be APRA [Australian Prudential Regulation Authority (APRA) regulated financial institutions.
"Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identity theft," Ms Rowland said.
"The approved recipients must satisfy very robust information security requirement and protocols for the transfer and storage of data.
"And information received must be destroyed when it's no longer required."
How would this actually work, and who does it protect?
Technology commentator Trevor Long said the reforms were built to specifically protect Optus customers whose details were compromised in the data breach.
"Strangely, despite the fact that that that information has been stolen by an external body without permission to share the information back to the government, and therefore, try and protect the identities of those people, we need this regulatory change.
"So it's a very simple change broadly, but it allows Optus to share the information of the millions of people who've been affected and therefore move that information on to financial services and banks."
Mr Long says having these customer details will assist banks in monitoring for any suspicious activity.
He also says it is important to understand the data will only be given out when necessary.
"It will be done in a very regulated way; they're not just randomly handing out those details," he said.
"But it means different banks that I don't operate with would know my details and put me essentially on a warning list so that if someone tries to apply for credit or a loan under my name, they can go through an extra set of checks to make sure it really is me applying for that loan."
What has the reaction been?
Optus Vice President Regulatory and Public Affairs Andrew Sheridan told SBS News the company welcomes the announcement on proposed changes to data sharing regulations.
"Optus is also pleased the Federal Government has taken the initiative to form a joint working group with Optus to enhance the coordinated response to the cyberattack," he said.
"We look forward to continuing to collaborate closely with the working group and all governments."
Mr Long says he believes the new laws can provide some reassurance for Optus customers who may be worried about identity theft and fraud following the data breach.
"We're talking about potentially 9.8 million people ... those people can have a higher sense of safety around their identity," he said.
"Previously to this announcement, you would have had to do a bit more work yourself, go and get a credit check, apply for a credit ban and actually be a bit more vigilant and ongoing, but now we can have a bit of faith that the financial services around, you're actually going to simply protect us along with the government."
Man arrested for alleged data breach scam
A Sydney man has been charged for allegedly attempting to use stolen Optus customer data in a text message blackmail scam.
The Australian Federal Police said the man was not suspected of being the individual responsible for the Optus breach, but allegedly tried to financially benefit from stolen data uploaded to an online forum.
The investigation was sparked when the AFP became aware of a number of text messages demanding some Optus customers transfer $2,000 to a bank account or face their personal information being used for financial crimes.
What else can be done to protect customers?
On Thursday, Treasurer Jim Chalmers told reporters further steps would be taken if needed.
"These steps that we announce today are all about helping Optus and the financial services sector and the relevant agencies work together more effectively to protect customers affected by the breach," he said.
"If there are further steps that need to be taken, we will take them; Clare O'Neil, Michelle Rowland and other ministers have made that clear."
Going forward, Mr Long told SBS News there are several measures he would like to see taken to protect Australians in the event of any future data breaches.
"The government should be putting in place a mechanism by which everyday Australians can simply turn off and turn on their own credit application, so I could go to MyGov, for example, and say 'I don't want credit being applied for under my name' ... so that it doesn't matter who has my identity, they can't abuse it," he said.
He would also like to see greater control around how companies manage consumers' data.
"Greater controls, greater penalties around data breaches, and essentially a long and detailed conversation about who's asking for our data, how long they're keeping it for, and in what manner."
"The biggest problem Optus has here is personal information was kept un-encrypted ... not only was it accessed, but it was easily read.
"Personal information like Medicare and driver's licences should be separated from my date of birth and my address and it should be encrypted so no one can put those things together."
