The federal government has put forward amendments to the Telecommunications Regulations 2021 as it strives to better protect Australians impacted by the Optus data breach.
The regulations are set to allow telecommunications companies to share approved government identifier information of those impacted by a data breach, such as driver’s licence, Medicare card or passport numbers to regulated financial services entities.
The government said that the alterations to the regulation would enable financial institutions to increase their monitoring and safeguards for customers affected by a data breach.
“Our government has been working in lockstep with banks and financial regulators to facilitate the safe and secure sharing of data between Optus and regulated financial institutions, with appropriate safeguards, to improve consumer protection,” said Treasurer Jim Chalmers.
“Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach.
“These new measures will assist in protecting customers from scams, and in system-wide fraud detection.”
The proposed amendment would also allow the information to be shared with the Commonwealth as well as states and territories to enable those bodies to detect and mitigate the risk of fraud, scams and other cyber activities.
While the proposed changes could mean more sensitive information would be transferred to different bodies, the government said the regulations had strong privacy and security safeguards to limit the purposes for the information being made available.
These protections include:
- The regulations apply to financial institutions that are regulated by APRA, excluding branches of foreign banks.
- The Communications Minister can specify additional services entities, if required, but only for entities that are related to or support an APRA-regulated entity.
- Information can only be used for the sole purpose of preventing or responding to cyber security incidents, fraud, scam activity, or identity theft.
- Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate.
- Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data.
- Information received must be destroyed once it is no longer required.
The government’s proposed changes are also designed to provide increased fraud detection in the broader financial services sector through existing fraud reporting methods.
The Council of Financial Regulators’ cyber security working group would also examine and report on further options to improve the ability of financial institutions to identify at-risk customers and credentials, according to the government.
You are not authorised to post comments.
Comments will undergo moderation before they get published.