The Optus breach raises critical questions. Do we have an effective National Cyber Security Strategy? Is corporate Australia proactive and prepared for the increasing cyber threats? What are the correct legislative incentives to get executives to prioritise cyber security investments? The biggest question of all is who’s data is it anyway? Who owns the data that Optus had a duty of care to protect? Is it the individual, the business or the Commonwealth?
Without understanding who owns the data, we can never answer these questions. Knowing who is the owner of the data is fundamental when it comes to deciding what the obligations of data custodians like Optus should be when it comes to their obligation to protect, and in case of a breach, compensate the owners (whomever that might be) for damages.
What about the cybersecurity legislation?
Most cyber, legislation, policy and strategies to date focus on managing the risk to protect the privacy of information. There is not much in the way to support the victims of Cyber-crime. In this case the victims are clearly Optus clients that are now going through the pain of rectifying the problem of their exposed information, including medicare and passport details.
We have had The Privacy Act, the Australian Data Strategy and the National Data Security Action Plan. None of them address the question of data ownership vs custodianship. But it must be defined and dealt with. The current situation where the onus is on the victims of an attack to pay for replacement IDs, or the govt to effectively foot the bill, is untenable.
One thing I agree with Optus CEO Kelly Bayer Rosmarin – simply increasing the penalties for breach is unlikely to have a large effect on the security of Australian’s data. There needs to be a duty of care in place for them and other data-custodians to be held accountable to.
What more could have Optus done in the aftermath?
There are things Optus could have done better, I’m sure they will agree. Being a customer service business, we must not forget Optus is a victim too. It is too early to understand how the breach occurred, there will be lessons learnt. It may be that they failed to properly secure the data by using encryption, a failure in privilege administration controls or not implementing data-centric security controls so that data is safeguarded even when network security fails.
Then there’s the communication failures – not disclosing to affected clients which data was breached. Clients have had to call Optus to have this information provided. All of this is important, but pales in comparison to the fundamental question of data ownership. If we can’t legislate who owns data in each situation, we can’t define their rights or what the obligations are for data custodians in the event that the data has been compromised.