The Treasury has announced changes to the Telecommunications Regulations 2021, in the aftermath of the Optus data breach, which will allow telcos to temporarily share approved information with regulated financial services entities.
The move has been implemented to help telecommunications providers coordinate with financial institutions, the Commonwealth and states and territories to mitigate the risks of cyber security incidents, frauds and scams.
Under the new regulations, telecommunications companies will be able to share approved government identifier information, such as driving licence, Medicare or passport numbers of affected customers, to allow financial institutions to better safeguard customers’ information affected by the data breach.
The Treasury said that the proposed regulations, which followed the consultation across agencies, financial regulators, Optus, the banking sector, major telecommunications providers and the Australian Information Commissioner, were designed with strong privacy and security safeguards, ensuring that only limited information can be made available for certain purposes.
The regulations will cover financial institutions that are regulated by the Australian Prudential Regulation Authority (APRA), with an exclusion of branches of foreign banks.
Additionally, the Communications Minister will have the ability to specify additional services entities, if required, but only for entities that are related to APRA-regulated entities.
- Information can only be used for the sole purposes of preventing or responding to cyber security incidents, fraud, scam activity or identify theft
- Entities that wish to receive the data must provide written commitments to the ACCC that they will comply with their obligations under the Privacy Act 1998, attest to APRA that they meet the relevant information security standard, and confirm in writing that the information they are seeking is necessary and proportionate
- Approved recipients must satisfy robust information security requirements and protocols for any transfer and storage of data
- Information received must be destroyed once it is no longer required
Additionally, financial regulators have taken additional steps to better protect customers, through the Australian Competition and Consumer Commission’s (ACCC’s) ScamWatch and direct engagement with financial institutions.
“Our Government has been working in lockstep with banks and financial regulators to facilitate the safe and secure sharing of data between Optus and regulated financial institutions, with appropriate safeguards, to improve consumer protection,” Federal Treasurer Jim Chalmers, said.
“Financial institutions can play an important role in targeting their efforts towards protecting customers at greatest risk of fraudulent activity and scams in the wake of the recent Optus breach. These new measures will assist in protecting customers from scams, and in system-wide fraud detection.”