Banks face policy fallout from Optus data breach

George Lekakis

Bank of China’s Australian arm shares customer data with a Russian entity

Australia’s banking sector has a lot riding on how the Optus data breach crisis plays out over the next few months, with concerns intensifying among major banks that the scale of the telco’s data breach could result in more onerous regulatory requirements on local service providers.
 
There is still a lot that we don’t understand about the Optus hack that the company says led to the personal details of more than 9 million customers being stolen.
 
Federal Home Affairs minister Clare O’Neil on Monday fired a clear signal in federal parliament that root and branch reform of Australia’s customer privacy and data storage laws is in the offing.
 
She hinted that the reform package being considered by the Albanese government could include a punitive penalties regime that would mean companies that suffer an Optus-scale data breach would incur fines running into the hundreds of millions.
 
That shouldn’t surprise local the boards and senior executives of Australian banks because a reform consultation process had already been initiated by the former Morrison government in May when the home affairs department called for industry submissions on a proposed national data security action plan.
 
A key feature of a draft plan stumped up by the department was a proposal for local corporates to manage and store their customer data on computer servers located physically in Australia.
 
O’Neil did not address whether the government would look to mandate such a change, saying only that she would release more details about the policy program in the “coming days”.
 
“A very substantial reform task will emerge from a breach of this scale and size and there are a number of policy issues that I think the public will soon become quite aware of,” she told parliament.
 
“One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose.
 
“I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.
 
“I really hope this reform task is something we can work on collaboratively across the parliament and I will speak in coming days about how we work through those issues in conjunction with other members of parliament.”
 
The Optus controversy and the policy response it is about to unleash will be ringing alarm bells among boards of the major banks and the 16 other members of the Australian Banking Association.
 
While most customer-owned banks and credit unions overwhelmingly store customer data within Australian borders, for many years the 20 members of the ABA have disclosed they hold sensitive client information on servers overseas.
 
In its privacy policy Commonwealth Bank of Australia reserves the right to send customer data to service providers and other third parties in 19 countries, including Argentina, Bermuda, China, Fiji and South Africa.
 
National Australia Bank discloses in its privacy statement that data is shared with third parties in up to 14 countries including China, India, The Philippines, Vietnam and Israel.
 
The Bank of China’s Australian subsidiary, which is also an ABA member, tells customers in its privacy policy that it is “not practicable” to list all the locations where it shares Australian customer data, but names 30 nations.
 
The list includes Russia, Bahrain, Kazakhstan, Zambia, Cambodia and the Cayman Islands.
 
In a submission to the department of home affairs in July the ABA argues that its member banks should continue to be allowed to hold Australian customer data overseas.
 
The ABA argues that forcing its member banks to “localise” their data storage would contravene a string of free-trade agreements and result in significant costs for the industry.
 
“Australia’s experience has shown that offshore data storage can be consistent with
ensuring Australian regulators continuing to have full and timely access to the data
needed to fulfil their regulatory and supervisory mandate,” the ABA argues in its submission.
 
“ABA encourages the Government, as part of the data security action plan, to identify factors that may make an overseas jurisdiction suitable or unsuitable for storing sensitive data about Australian citizens, and introducing a 'white list' of jurisdictions under the Privacy Act.”
 
Banking technology expert Glenn Stafford, the managing director of Sydney-based consultancy PerformPlus said ABA members have a lot riding on the policy fallout from the Optus breach.
 
“I think it is an inflection point for privacy in Australia and I think it could lead to material change if governments and regulators come down on this from a great height,” he said.
 
“Wider reforms, including a potential requirement to store customer information on servers located in Australia, could be a very expensive and challenging exercise for the banks.”