‘Safe harbour’ cyber laws needed: Optus boss
The telco is potentially facing millions of dollars’ worth of fines for privacy breaches, but says a re-think is necessary.
Optus chief executive officer Kelly Bayer Rosmarin has welcomed the government’s move to appoint a national co-ordinator for cyber security, and has called for it to consider new “safe harbour” protocols that would shield companies from liability when they meet certain cyber security standards.
Optus last year suffered one of the largest data breaches in Australian history when 10 million customers had their data stolen by a hacker, who demanded a $US1m cyber ransom. That breach, along with one suffered by Medibank, has sparked reforms including a new cyber security agency, and a national strategy that will run through to 2030.
Speaking at the Cyber and Infrastructure Security conference in Sydney, Ms Bayer Rosmarin said that Optus’ cyber breach was particularly challenging given the number of agencies and partners involved in the response.
“Most of us have been involved in cyber drills. We have playbooks, crisis manuals, decision scenarios and textbook responses to manage the implications of an attack and to work towards mitigating risk to the company and its customers. The drills help us prepare and keep our playbooks updated, but nothing can fully prepare for the high-pressure reality of the real thing,” she said in her keynote speech.
“When confronted by a cyber attack of any scale, an organisation may find itself working with others who have different playbooks, timelines, and priorities.
“One learning is the value of practising our playbooks together and working through being co-ordinated in a manner that would have aligned expectations, time frames and clarity of roles and accountabilities.
“We believe having a national co-ordinator in place during experiences such as ours will be tremendously valuable and is a clear demonstration of the forward looking thinking from the government on cyber.”
Ms Bayer Rosmarin said further legal reform may be needed, particularly around “safe harbours” that shield companies from liability when they maintain a cybersecurity program that meet certain prescribed standards and can show compliance at the time of the breach. Safe harbour laws have been introduced in some US states.
“The government may wish to consider developing safe harbour protocols that would encourage the full and frank sharing of information with key government agencies without prejudicing any future regulatory investigations or legal action.
“The cyber hacking community closely observes how organisations and nations respond, and this could influence decisions on future targets.”
The Australian Communications and Media Authority (ACMA) and the Office of the Australian Information Commissioner (OAIC) have each announced probes into Optus’ handling of the data breach, and the telco could face fines of up to $2.2m for each privacy breach if the OAIC decides to take it to court.
Rachel Noble, the director of the Australian Signals Directorate, told a Senate committee late last year the safe harbour concept was a “most excellent idea.”
“From an operational perspective, in that heat of the incident, if you will, when we‘re still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others … Whether they are other government agencies or other people scrutinising the process, like we’ve seen in class action lawsuits, for example, that is very attractive to us as well,” she said.
It comes after the FBI last week arrested the person allegedly behind the BreachForums dark web forum, that hosted stolen personal data from millions of Medibank and Optus customers.
Conor Brian Fitzpatrick, known by his BreachForums online handle ‘Pompompurin’ was arrested at his New York home last week, according to court filings.
BreachForums hosted data from the mass Medibank and Optus data breaches late last year. Culprits have yet to be identified in either of those incidents, but the AFP has said a Russian hacking group is responsible for the Medibank hack.
Price hikes boost NBN Co’s earnings
NBN price hikes have pushed more Australians into plans with higher internet speeds, lifting the government-owned telco’s half year earnings more than 7 per cent.
Computershare hikes dividend on earnings beat
Shares hit record high after dividend hike and better than expected profit spike.