On the back of the recent Optus, Telstra, Medibank and Woolworths data breaches, many businesses have realised the urgent need to protect consumer data.

As the Federal Government rightly considers how to respond to the breaches and make amendments to the Privacy Act 1988, the Victorian Chamber wants the government to consider the implications of widespread changes. Doing so will make sure it can implement deliberate, focused solutions that protect consumer data but do not unnecessarily burden businesses.

The September 2022 Optus breach, which involved half of the Australian adult population, has highlighted the growing need for information technology privacy reform. We know that 2.1 million people are at a high security risk due to the theft of their personal identification numbers.

This information may have been stolen directly from Optus by an unauthenticated Application Programming Interface (API). The best comparable analogy is storing $1 million dollars in a house under construction and never attaching the front door. A criminal drives past, sees the money, walks in, takes the cash and drives off.

The scale of the breach demonstrates the risk to Australian individuals and businesses. Optus’ sole trader or small business owner customers whose identity has been stolen represent the highest risk. It is crucial customers take steps to update identity documents, monitor credit activity and remain vigilant.

All businesses need to prioritise cyber security. Those yet to start the journey need to urgently implement basic steps around adopting and reviewing multi-factor authentication, patching, backups of data, and consider if the data stored is needed. As a minimum, businesses should ensure that information and communication technology (ICT) departments have obtained ACSC (Australian Cyber Security Centre) Essential 8 Level 1 maturity and undertake an independent security assessment.

The Privacy Act 1988 addresses elements of privacy and information security but was drafted before Google (1998), Wikipedia (2001) and iPhones (2007) were invented. As a result, it needs to be modernised. Given the scale of the breach, the Federal Government has indicated an overhaul of the policy may be imminent.

Any changes would require businesses to implement processes to limit the amount of personal data stored and destroy customer data that is not essential to business operations. This will not be an easy or quick task given data is housed by businesses in structured sources like customer relationship management (CRM) systems and unstructured sources such as emails, documents, and spreadsheets.

In areas where information security has been strengthened, we know that many small businesses get left behind through ignorance or associated costs. The Victorian Chamber believes businesses must ensure the community can trust them with their personal information. However, when it comes to potential changes in Commonwealth legislation, all changes must balance the need for greater data protection without adversely burdening business. We know business stands ready to do its part.