The details of the recent Optus data breach are unfolding by the minute, and any recount of the incident provided here may be quickly overtaken by events.

Safe to say, millions of personal information records were compromised last week by a malicious actor and the facts surrounding the incident and liability of Optus and/or its personnel will be the subject of debate for months to come.

The incident raises the more general question – when does a data breach or hack lead to a breach of the Privacy Act or other laws? Many people would not realise that a company whose database is hacked is not automatically in breach of the law.

Here are some of the factors relevant to whether a data breach may lead to a breach of the law, and with that liability for fines of up to $2.22 million for corporations for serious or repeated interference with privacy.

Failure to protect data

Australian Privacy Principle (APP) 11 requires an organisation that is subject to the Privacy Act to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access. A malicious actor can employ sophisticated tactics to gain unauthorised access to personal information, and there might not have been anything an organisation could do about it with the reasonable security measures it had in place. This is what will likely be explored with Optus.

The nature of these ‘reasonable steps’ will take into account the size, resources, complexity of operations and business model of the entity that has been hacked. In Optus’ case, due to the amount of personal information it held and the size of the organisation, these steps will likely need to be on the sophisticated end of the scale. There have been discussions in the media as to what security measures Optus did or did not employ. As lawyers, we leave the fact finding to the IT security experts before making an assessment as to what is reasonable.

Failure to notify

Since the introduction of mandatory data breach reporting in 2018, Optus would have been in breach of the Privacy Act if it failed to report in a timely manner any unauthorised access or disclosure (or likely access or disclosure) of personal information which was likely to lead to “serious harm” of the affected individuals that could not be prevented with remedial steps. Serious harm often includes identity fraud, for example.

Failure to remediate the breach that leads to further loss

Following the initial unauthorised access to the personal information, organisations need to be careful that the steps they subsequently take also constitute reasonable steps to protect personal information. If not, this could lead to breaches of APP11 even if the original data breach was not actionable.

Reasonable steps in similar instances might not include paying a $1.5 million ransom, for example, but would likely include quickly patching up any system vulnerabilities that have been discovered and that may lead to further disclosure, or notifying affected individuals so they can be vigilant and take steps to protect themselves.

The data itself

In Optus’ case, some of the data reported to have been accessed by the malicious actor include identity information, including Medicare, passport and driver’s licence details.

How historical is this data? Should Optus still have been storing it, or should it have been securely destroyed if it was no longer required for any purpose it may be used or disclosed under the APPs?

A failure to destroy or de-identify personal information when no longer required for any purpose could lead to a breach of APP11.

Serious and repeated interference with privacy

If a breach of an APP was found, it would still need to be serious or repeated to lead to financial penalties. The OAIC’s recent and ongoing proceedings against Facebook are the first time an action has been brought seeking financial penalties for serious or repeated interference. ‘Serious’ or ‘repeated’ are not defined terms and there is no guidance from courts to date.

Claims from affected individuals

Even if there is no breach of the Privacy Act, individuals may make a complaint and if their personal information held by Optus has been accessed by any unauthorised entity, they may be successful in claiming certain damage or loss. Historically, these amounts have not been large or have tended more to directly compensate individuals for the reasonable costs of, for example, installing security cameras where a silent home address has been published by mistake and the individual has safety concerns.

Further, there is arguably a limited legal basis for such claims, and monies are usually paid to avoid further action or adverse media publicity.

Future law reform

In an ongoing review of the Privacy Act, discussions have proposed a more direct right of action for individuals who have had their personal information interfered with, and a statutory tort for the invasion of privacy.

Further, there has been a proposal for new penalty provisions for less ‘serious’ breaches.

These proposed law reforms will undoubtedly be brought into increased focus as a result of this breach, as currently the OAIC and affected individuals are somewhat hamstrung in the actions they can take.

Protecting against individual claims, remediating the breach through IT security investigations and reports, taking preventative measures (such as paying for fraud monitoring), and reputational loss will most likely be where Optus feels the real pain of this breach, at least in the immediate sense.