New amendments to the Telecommunications Regulations 2021 will enable telecommunications companies to temporarily share approved government identifier information with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by a data breach.
The amendments follow the data breach at Optus, including government identifier information such as drivers licences, Medicare and passport numbers of affected customers.
The Government will recommend the regulations be amended to allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities.
In addition, Optus will be able to share identifiers to assist Commonwealth, and state and territory agencies, to detect and assist in preventing fraud.
The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for certain purposes. Specifically:
- The regulations cover financial institutions that are regulated by APRA, excluding branches of foreign banks
- The Communications Minister has the ability to specify additional services entities, if required, but only for entities that are related to or support an APRA-regulated entity
- Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identify theft
- Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate
- Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data
- Information received must be destroyed once it is no longer required.
- The proposed changes will also allow for increased fraud detection in the broader financial services sector through existing industry mechanisms to report fraudulent transactions, such as fraud information exchanges.
Federal Treasurer, Jim Chalmers, said the new measures will assist in protecting customers from scams, and in system-wide fraud detection.
“Our Government has been working in lockstep with banks and financial regulators to facilitate the safe and secure sharing of data between Optus and regulated financial institutions, with appropriate safeguards, to improve consumer protection,” Mr Chalmers said.
“Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach.”
Additionally, the Council of Financial Regulators’ cybersecurity working group will examine and report on options to further improve the ability of financial institutions to identify at-risk customers and credentials by utilising an existing secure and privacy protecting data sharing platform, to enable financial institutions to further enhance their protections for consumers from financial crime.
In developing this approach, the Government has undertaken extensive consultation across Commonwealth agencies, financial system regulators, Optus, the banking sector, major telecommunications providers, and the Australian Information Commissioner.
The financial regulators have taken additional steps to protect customers – including through the ACCC’s ScamWatch – and direct engagement with financial institutions.
Financial institutions have had a proactive response to the data breach, including implementing heightened controls on those accounts identified as at higher risk.
Federal Minister for Communications, Michelle Rowland, said, “The proposed regulations have been carefully designed with strong privacy and security safeguards to ensure that only limited information can be made available for designated purposes.
“This will enable Optus, the financial services sector and relevant agencies to work together more effectively, to implement enhanced monitoring and safeguards to protect customers affected by the breach.”