The amendments would allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.
They would also enable telecommunications companies to temporarily share approved government identifier information (such as driver’s licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach.
In addition, Optus will be able to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud.
Treasurer Jim Chalmers said the proposed regulations have been designed with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes.
These specifically include:
- The regulations cover financial institutions that are regulated by APRA, excluding branches of foreign banks.
- The Communications Minister has the ability to specify additional services entities, if required, but only for entities that are related to or support an APRA-regulated entity.
- Information can only be used for the sole purpose of preventing or responding to cyber security incidents, fraud, scam activity or identify theft.
- Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate.
- Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data.
- Information received must be destroyed once it is no longer required.
The proposed changes will also allow for increased fraud detection in the broader financial services sector through existing industry mechanisms to report fraudulent transactions, such as fraud information exchanges.
In addition, the Council of Financial Regulators’ cyber security working group will examine and report on options to further improve the ability of financial institutions to identify at-risk customers and credentials by utilising an existing secure and privacy-protecting data sharing platform, to enable financial institutions to further enhance their protections for consumers from financial crime.
The financial regulators have taken additional steps to protect customers, including through the ACCC’s ScamWatch, and direct engagement with financial institutions.
Financial institutions have also been proactive in response to the data breach, including through implementing heightened controls on those accounts identified as at higher risk.
