Insight,

Updates to the telecommunications regulations in the wake of the Optus cyber incident

18 October 2022

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TLDR

Amendments to the Telecommunications Regulations 2021 (the Amendments) are now in force that authorise telecommunications carriers and carriage service providers to share specified information and documents about their customers with eligible financial institutions. This was done to help the institutions to combat fraud following the 22 September cyber incident that resulted in the exposure of 9.8 million Optus customers’ records.[1] However, to receive the information, eligible financial services entities will have to make strong commitments to the ACCC about how the information will be used, disclosed and protected.

Optus Incident

On 22 September 2022, Optus announced that it had become the victim of an incident, which resulted in the unauthorised access and disclosure of current and former customers’ personal information. The information exposed included customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, residential addresses and ID document numbers such as driver's licence, Medicare card and passport numbers.  According to Optus, customer payment details and account passwords were not compromised in the incident.[2]

Why was the Regulation made?

As a carrier and carriage service provider, Optus is prohibited from disclosing information about its customers to third parties unless it is authorised to do so under Part 13 of the Telecommunications Act 1997 (the Act). It would therefore need to be authorised by law to disclose information to financial institutions to assist them to combat fraudulent activity by third parties using compromised Optus information.

On 6 October 2022, Federal Minister for Communications, Michelle Rowland, therefore announced amendments to the Telecommunications Regulations 2021 to:

  • authorise carriers and carriage service providers to provide specified information and documents to financial institutions to detect and mitigate the risks of malicious activity, including ID theft and scams; and
  • allow carriers and carriage service providers to disclose limited specified information and documents customers to government agencies, like Services Australia, to assist in preventing fraud.

What customer information can be shared?

Carriers and carriage service providers are only authorised to share ‘specified information’ or a ‘specified document’ about customers with certain financial services entities. The kinds of information or documents that can be shared with those entities are:

  • government related identifiers (e.g. driver's licence, Medicare and passport numbers) of individuals who are existing or were past customers; and
  • a form of ‘personal information’ of existing or past customers as specified by the Minister in a notifiable instrument under subsection 15A(5)(a) or (b). No such instruments have yet been issued.

There is no restriction on the kinds of information or documents that carriers and carriage service providers are authorised to disclose to a Commonwealth entity or State authority.

What entities are able to receive customer information?

To be eligible to request and receive information under the amended Regulations, financial services entities must be regulated by the Australian Prudential Regulation Authority (APRA). This class of potential entities includes Australian Authorised Deposit taking Institutions, general insurers, life insurers, registerable superannuation entities and their licensees, and private health insurers.

The amended regulations give the Communications Minister the power to add financial service entities to the list of eligible recipients if required, but only where those entities are related to, or support, an APRA-regulated entity.

Government entities that are authorised to receive information under the amended Regulations are Commonwealth entities as defined in the Public Governance, Performance and Accountability Act 2013, and ‘State authorities’ (as defined in the Intelligence Services Act 2001, which covers various State and Territory entities).

There are safeguard on the disclosure of customer information to financial services entities

Financial services entities receiving customer information must use it for the purposes of preventing or responding to cyber security incidents, fraud, scam activity or identity theft—e.g. to monitor customers’ accounts for unlawful withdrawals and to detect fraudulent attempts to seek credit—or to address malicious cyber activity (an Approved Purpose).

In addition, to be eligible to receive the customer information, financial services entities must:

  • ensure that the information they are seeking is necessary and proportionate in the circumstances; and
  • provide APRA with an attestation signed by an authorised officer, confirming compliance with Prudential Standard CPS 234 – Information Security as in force from time to time.

They must also give the ACCC a written commitment that the entity will comply with significant obligations in respect of information or documents about customers of a carrier or carriage service provider (Customer Information), including that:

  • access, use or disclosure of Customer Information will only be for an Approved Purpose and only in accordance with the requirements of the Privacy Act 1988;
  • Customer Information will only be shared with an associate of the entity to the extent necessary for an Approved Purpose;
  • Customer Information will be stored in a manner that prevents unauthorised access, disclosure or loss – noting that this is a higher standard than APP 11, which requires organisations to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure;
  • the entity will review its need to retain Customer Information at least once every 12 months, and destroy Customer Information no longer required for an Approved Purpose.
  • the entity has appropriate written procedures to ensure that Customer Information is handled in accordance with the requirements set out above; and
  • the entity will obtain a written commitment in the same terms as that made to the ACCC, from an associate (other than an employee of the entity) before sharing Customer Information with that associate or any other financial services entity in accordance with the Regulations.

Finally, the authorisation to disclose information under the amended Regulations ends on 13 October 2023 when sections 15A and 15B of the amended Regulations are repealed. We expect that by this time there will be amendments to the Privacy Act 1988 that will address this particular issue.

The ACCC has already made clear that it will be:

  1. treating commitments given by entities as representations for the purposes of section 18 of the Australian Consumer Law, the breach of which can be subject to civil penalties; and
  2. actively monitoring compliance with each of the commitments, which could include the use of investigative and enforcement tools such as substantiation notices and compulsory notices for production.

More to come

The amendments to the Regulations are the latest in a range of steps the government has taken to manage the fallout from the incident, following the launch by the Australian Federal Police of Operation Hurricane to identify in coordination with the FBI the perpetrators, as well as Operation Guardian, to provide special monitoring and protection for the 10,200 customers whose personal information has already been made public.

Further legislative amendments are anticipated as part of the ongoing review of the Privacy Act, with Attorney General Mark Dreyfus flagging tougher penalties, data retention limits and anti-fraud measures as key proposals likely to be brought forward ahead of the overall findings from the two-year review, expected at the end of the year.[3]

'Optus update on Medicare ID Number’, 28 September 2022, URL: https://www.optus.com.au/support/cyberattack#optus-update-on-contacting-our-customers-14-10

‘Optus notifies customers of cyberattack compromising customer information’, 22 September 2022, URL: https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack

‘Optus breach to bring forward 3 privacy law reforms: Dreyfus’, 12 October 2022, URL: https://www.innovationaus.com/optus-breach-to-bring-forward-3-privacy-law-reforms-dreyfus/

Our experts, industry leaders, regulators and government explored key digital and cyber trends, regulatory insights and more at the KWM Digital Future Summit in November 2022. Read our takeaways or watch it on-demand here.

Categories

Reference

MEET THE AUTHORS

KWM DIGITAL FUTURE SUMMIT

17 - 25 October 2023 | Virtual

Join our four-day summit to discover a wide range of perspectives on the future of digitisation and regulation of data and emerging technologies.

LATEST THINKING
Insight
Top 10 Trends for Private Capital in an uncertain world
With sophisticated investors quickly seeking diversification in response to geopolitical risk, Asia Pacific markets are well-positioned to become an attractive hedge.

17 April 2025

Insight
Private Capital Leading the Surge into Data Centres - What have we learned and what next?
Australia and the Asia Pacific Region emerge as a hotbed for data centre investment, as the AI revolution and resulting demand for digital infrastructure surges.

17 April 2025

Insight
Cov-What? Financial covenants in leveraged finance deals
A short primer on the different approaches being taken to financial covenants in leveraged finance deals

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies