It was revealed earlier this week that Optus, Australia’s second largest telco, is the subject of a class-action lawsuit that has been labelled “an important test of Australia’s privacy laws”.
Optus discovered a data breach during a routine audit of 10 million customers in October last year. The breach involved the publication of the name, address, mobile and home phone numbers of 50,000 customers in the White Pages without their consent.
The class action brought on behalf of affected customers alleges Optus breached the Privacy Act for disclosing their personal information that was originally collected for another purpose, including through placing their information in phone directories without their consent. The action also alleges the telco failed to take the proper steps to protect its customers’ privacy.
The proposed class action is the first of its kind in Australia for a breach of privacy and, if Optus loses, it is likely to face significant fines and untold reputational harm.
Raph Goldenberg, a data and privacy partner at CIE Legal sees this as a landmark case, saying, “This is a ground-breaking case that will test Australia’s privacy laws.” He urges businesses with large customer databases to heed the warnings of the case and to ensure not only that they have appropriate processes and procedures in place to protect customer data appropriately, but that they are tested regularly. “The class action alleges that Optus did not take sufficient steps to ensure its customers’ privacy. Developing policies and procedures for data protection is a good start, but the key to robust data protection is embedding a privacy culture in all staff so it is considered in every decision that is made about customer data usage. Regular training, checks and audits are good ways to minimise the risk of a serious data breach. In the unfortunate event that you have a breach, taking these steps can also help in resolving regulatory investigations, but also in salvaging your relationship with your most important asset, your customers.”
CIE Legal is a boutique law firm that specialises in advising consumer product businesses. We advise a wide range of clients on data and organisational privacy compliance, training, marketing and policy development. Click here for case studies of examples where we have helped clients in relation to privacy and customer data. If you would like to discuss the issues raised in this article, please contact Raph Goldenberg.