Interview with Sarah Ferguson, ABC Sydney

SUBJECTS: Optus Breach, Data Sharing, Data holding.

SARAH FERGUSON, HOST: A 19 year old Sydney man was arrested today accused of attempting to blackmail people caught up in the Optus hack, demanding money via text message. Desperate to head off widespread fraud in the aftermath of the massive identity theft, the Federal Government announced new regulations today enabling Optus to share customers information with banks and government institutions. Communications Minister Michelle Rowland joined us from Canberra a short time ago. Michelle Rowland, welcome to the programme.

MICHELLE ROWLAND, MINISTER FOR COMMUNICATIONS: Pleasure.

FERGUSON: Now, we saw the first arrest today of someone accused of trying to exploit up to stolen data. How vulnerable are the more than 10,000 Australians whose identities, whose documents were published on the internet?

ROWLAND: Well those vulnerabilities are there and that is the reason why we have our law enforcement agencies working tirelessly to investigate the source of this breach and any other malicious activity that involves consumer harm. It is pleasing to see that their actions are bearing fruit, but of course it is a salient reminder of what this is about. It is about consumer data being utilised in a way to harm Australians.

FERGUSON: Now that's from the Operation Guardian side of law enforcement at the moment. What do we know now about the hacker or hackers who stole the information?

ROWLAND: That information is something that is ongoing and is developing and of course, Operation Hurricane continues to be underway between Australian authorities and the FBI and I will let that run its course.

FERGUSON: Just by the way, why did we need to bring in the FBI?

ROWLAND: It was considered necessary by our law enforcement agencies.

FERGUSON: Why is that though?

ROWLAND: The reasons for engaging these other enterprises? Because of course, the FBI has that intelligence that goes beyond borders, they can coordinate better, but beyond that I really can't tell you anymore.

FERGUSON: Now, turning now to the new regulations that you and the Treasurer announced today, how will those changes help someone going through the nightmare of having their identity stolen and trying to unravel the terrible consequences of that?

ROWLAND: Well, firstly, we acknowledge that this is an area of great, not only financial, but emotional distress for a lot of people who have been the victims of scams, in particular in the past. We know how prevalent they have been. But I think firstly, Australians should be assured that our uppermost concern here is to ensure their privacy and to keep them safe. And that's why these regulations have been designed to do two very specific things in a very limited range of circumstances, but an effective range of circumstances. The first is to enable government identify information to be shared with financial institutions who are well placed to mitigate the risk of scams and other malicious activity, but also sharing with government agencies like Services Australia to ensure that they can do very similar.

FERGUSON: Just briefly, how quickly do you expect them to be up and running?

ROWLAND: Since the sector, both financial services and telco, are well aware of this, I expect that they will act expeditiously.

FERGUSON: But you don't have a time frame for that?

ROWLAND: I expect that they will be ready to go.

FERGUSON: Now, one of the problems with the Optus theft is that the telco was hanging on to information for a very long time. How do you prevent these institutions, government and otherwise, from doing exactly the same thing?

ROWLAND: Well, it's a salient reminder that any organisation that holds large amounts of data, in particular personal information of customers, needs to ensure that they comply with all relevant laws at all times, including the Privacy Act, including the Telecommunications Act, as that applies to the sector.

FERGUSON: And I think I'm going to interrupt you just briefly for a moment there, because one of the problems over the past few days has been a great deal of some confusion over the laws around how long Optus was supposed to hold this information. So how do you prevent the same thing happening again?

ROWLAND: Certainly, and there are two points I'd make there. Firstly, in terms of the regulation at hand, this regulation lasts for twelve months and it is very clear within its terms that whoever is obtaining this information must only examine it for twelve months or hold it as necessary and review the need to continue holding it every twelve months. And where that is no longer required, then it must destroy that information. That is a very clear requirement in the regulations that we've put in. But to your other point about the wide range of different laws and regulations that apply to customer data, this is true. It is a fact that they do differ across sectors, and even within sectors. I would point out that there are very strict prohibitions under current telecommunications laws about the disclosure of personal information. And some of the information that is retained has been designed and has really evolved over a period of time for some quite valid reasons. And just to give you one example, prepaid mobile services where we saw them starting to be used for criminal activities in particular, and specifically heinous crimes, it was determined at the time, and rightly so, that customer data about those services needed to be held. But the question is, and I think guidance can be provided, and I have my department and regulators working on this, guidance can be given on precisely what form that needs to be held and when it is no longer required.

FERGUSON: So in this case, how do you ensure that the data is held safely within these institutions? We're now actually spreading the number of institutions that hold these very crucial identity documents. How do you keep them safe?

ROWLAND: Well, to that point exactly, this is one of the reasons why we have designed the regulations in this way. There must be undertakings provided about the need to have this information. There must be undertakings provided as to the receipt of it and the use of it as well. So there are very clear provisions within the regulations that go to all of those issues to make it a very tight set of laws that will apply in this instance. Going precisely to that issue that you mentioned.

FERGUSON: I think we're now into our second week after the initial theft from Optus and there remains a significant divergence of understanding about how it happened. Optus claimed that it was sophisticated. Your colleague, the Home Affairs Minister, said on this programme that it was not a sophisticated attack, that essentially Optus had left a window open. What are the facts of the matter now?

ROWLAND: I think we should continue to let those law enforcement agencies do their jobs and I think the key issue here for the Australian Government is to do everything in our power to keep Australians safe and that's why we brought those regulations forward today.

FERGUSON: And does the announcement of a working group between the government and Optus suggest that relations between you and the Telco are on a better footing now?

ROWLAND: Let me be clear. Our primary concern in all of this has been the welfare of Australian consumers, many of whom have been impacted and continued to be deeply concerned even today. So that has been the focus of the Australian Government at all times. We will do everything necessary to coordinate, not only across our departments, right across government, but also with the sector and with corporate Australia more generally in the longer term to ensure that we continue to keep Australians safe.

FERGUSON: Michelle Rowland, thank you very much indeed for your time.

ROWLAND: Pleasure.