Subjects: CBA data; Perth byelection; QLD tree clearing
DAVID SPEERS: As you heard there in Leo's piece, the Attorney-General Christian Porter has been receiving briefings on this matter today and I spoke to him a little earlier.
Christian Porter, thanks very much for your time this afternoon. So, when were you told about this data breach at the Commonwealth Bank?
CHRISTIAN PORTER: Tuesday evening, my office was informed and I requested a briefing the next morning from the Information Commissioner about the matter. And obviously it's a matter which is very serious, of great concern to me, the Government, and my office. And we had yesterday, or a couple of days ago, APRA producing a report noting that the Commonwealth Bank didn't seem to fully comprehend or understand its many non-financial requirements with respect to compliance and related matters, and this is just an obvious case in point. It is very, very disappointing.
DAVID SPEERS: It is an obvious case. It's one of the most serious breaches as far as the- data breaches as far as the banking sector is concerned. Should you have been told earlier, either by the bank or by the Information Commissioner?
CHRISTIAN PORTER: Well, there's no evidence that I can see - and obviously I'm inquiring into this and it's early days - that there was any reporting up from the Information Commissioner, but I'll confirm that as soon as I am able to.
DAVID SPEERS: That good enough?
CHRISTIAN PORTER: But I think it would have- well, the regime at the time, I must say, was quite different from what is now. And as you'd be aware, our Government has introduced legislation that makes the reporting of this type of breach mandatory and there are very serious civil penalties that now apply to the overarching system.
But, look, notification should flow up to government and down to customers as quickly as possible, so the Commonwealth Bank has come out today and notified all its customers and its position seems to be that the magnetic tapes in question were most likely destroyed, but that they can't fully or finally confirm that destruction, but that there were no pins or security issues in the data, and so that their customers shouldn't be worried.
Now, you know, whether or not that is an accurate depiction of the situation is one question, but if the Commonwealth Bank maintain that position and that's what they've notified customers of today, then the obvious question arises; why couldn't they have notified their customers of that back in 2016? The idea that…
DAVID SPEERS: ….yeah well, exactly. And why did the Privacy Commissioner not tell them to do that back in 2016? I know you're saying the regime was different - you're right, the laws were different. Nonetheless, do you think the Privacy Commissioner should have given them different advice?
CHRISTIAN PORTER: Well, I think that that is a question that needs to be asked and I think that that is something that I will be, obviously, going through the documentation of, but I don't want to jump to that conclusion. Now, at the time, there wouldn't have existed a mandatory power of the Information Commissioner to compel the information be given by the Commonwealth Bank to its customers. So, the regime was quite different. But look, it is a serious data breach, a loss of data in this occasion. The Commonwealth Bank should have informed its customers at the time. I am obviously going to look very carefully at all of the notifications that flowed up to Government at the time to see whether they were adequate.
But at the end of the day, this is a problem with the bank and a problem with its ability to notify its customers and it should not be keeping its customers in the dark.
DAVID SPEERS: Well, to that end: has it actually notified the specific customers involved here? I know it's put out a general statement, but what of those 12 million customers holding nearly 20 million accounts, have they specifically been told? Because as far as I'm aware, this data is still lost.
CHRISTIAN PORTER: The data is still lost and I think you will find, David, that even in the updated regime that we have bought in in 2018, that there are options for large corporations to notify people who might have been affected by a data breach and that can be done in a variety of ways. One of the ways is to notify individual customers. If that is impossible or prohibitive because there are so many customers and contact details might have changed, there are other ways that the legislation stipulates that you can notify your customers. So, even….
DAVID SPEERS: …so, they have to have satisfied their obligation now to actually notify through that general statement, do you think?
CHRISTIAN PORTER: Well, I've- look, I'm a Commonwealth Bank customer. I would've liked to have known. I received my notification today, so it certainly reached me, this general notification. But there are different ways in which you can notify clients. I don't think the issue here is the methodology in which they've chosen to notify their clients, the issue is why now? Why not back in 2016 when the problem became apparent. It is due and proper that you notify your clients and this is the regime, in fact, that our Government has brought in, so now there are mandatory requirements to report this type of breach to the Information Commissioner; there are serious penalties for breaches of the regime and that is a very positive act from this Government to prevent these types of events from occurring in the future. But ultimately, it comes back down to the culture of the organisation in question.
DAVID SPEERS: Alright. But just to be clear, there's no prospect of them facing any penalty under the current laws over this particular breach?
CHRISTIAN PORTER: Well, I just can't say that definitively, but under the Privacy Act that is now drafted, after the reforms that we brought in in 2018, you could argue, without knowing all of the details, that this is a circumstance which could have caused serious harm to clients, which therefore should have been mandatorily informed to the Information Commissioner and there could have been a requirement that they inform their customers at the time. But that is the new regime that our Government's put in place…
DAVID SPEERS: …but right now, just to be clear on this, right now, could they actually face any sort of penalty right now over this?
CHRISTIAN PORTER: Well, that is a complicated legal question that I just simply won't be able to give you the answer to here on air. But it is more likely that if this event happened from 2018 on, that it would be the consequence of a penalty, a very severe civil penalty that in the past; that is a reform that our Government has introduced…..
DAVID SPEERS: …sure. But is someone looking into this now? Is your department looking into whether there is a potential penalty now?
CHRISTIAN PORTER: Of course. As we become aware of all of the details around the breach, we will be looking at any avenues in which we might be able to pursue it.
DAVID SPEERS: Now, look, no one wants to see trust in the banks undermined, but we have had you know a pretty torrid couple of weeks. We had the big banks, or suggestions that they've misled and ripped off customers by charging them fees for services not provided, that damning report from the regulator APRA about a culture of complacency, and now this revelation about the data breach of 20 million accounts. Do you think trust in the banks has been shaken?
CHRISTIAN PORTER: I mean, it's unquestionable that it has been, and for some good reason. I mean, it seemed, at least to me personally, that when the Royal Commission was established, the major issue with which most people were concerned was with respect to lending practices. But as the Royal Commission has gathered pace it seems that sharp practices and, frankly, unethical practices and in some cases quite despicable practices in the banks seem to have permeated a variety of different business models inside the banks, including the provision of financial advice.
So, of course confidence in the banks has been shaken. That is not a good thing for our overall economy. But ultimately, government can play a very strong part in trying to institute systems to repair that confidence, but ultimately that confidence can only be regained by the institutions themselves.
DAVID SPEERS: And yet, as you know, your Government wants to give the banks a tax cut. Can you understand a lot of people saying: well, hang on, that's not right.
CHRISTIAN PORTER: Well, we're proposing tax cuts to the second half of businesses in Australia, which are larger half of businesses. We've already provided tax cuts to businesses with turnovers between $0 and $50 million and that has been a major contributor to the economic growth that has seen fantastic job growth in our economy in excess of 400,000 jobs last year - a record.
So, we're not giving a break to any single part of the economy. We are trying to make the business environment more competitive, ensure that businesses reinvest and grow and generate employment. So, having one sector of the business community subject to quite proper scrutiny shouldn't prevent a government from doing what is needed to be done in the overall tax regime to grow the economy, grow jobs, and produce a better outcome for all Australian families.
DAVID SPEERS: A couple of quick ones, if I can. Tim Hammond has announced he's resigning, as you know. There will be a by-election in his seat of Perth. This is the Labor frontbencher, he's going for family reasons. I just want to ask you on the by-election; will the Liberals definitely run a candidate in the seat?
CHRISTIAN PORTER: I would think undoubtedly, and I'm sure that we'll run a strong candidate and a strong campaign. And it wouldn't have escaped your notice, David, that last week the Turnbull Government announced a $5.4 billion package, in excess of $3 billion worth of Commonwealth funding, to utterly critical congestion busting infrastructure in WA. So, we have a great story to tell here versus our Labor opponents…
DAVID SPEERS: …so, you might actually be a chance of picking up this seat? Well, I think that on the back of recent announcements and the enormous investment that the Turnbull Government's making into congestion busting infrastructure in WA, that we would fancy ourselves and we'll be running a very, very tough campaign.
DAVID SPEERS: And a final one. We've been talking your colleague Matt Canavan about Queensland's new tree clearing laws. I know he's spoken to you about this as well. As Attorney-General, will the Commonwealth take Queensland to the High Court over this?
CHRISTIAN PORTER: I have spoken to Matt Canavan about it and listened to the concerns that have been expressed to him, particularly by Indigenous groups, whose view is that this legislation prevents them from being able to deal in an appropriate and fair way with land that, in effect, they own.
So, I've listened to those. I will consider the matter and it is a very complicated question, but you'll find that, generally speaking, when these types of legislations that exist at a state level and pertain to the ways in which people can deal with their land are challenged, they're challenged by plaintiff groups which aren't the Commonwealth Government and that's been the history of these matters. So, I think at this stage it's certainly a watching brief.
DAVID SPEERS: Attorney-General Christian Porter, thanks so much for joining us this afternoon. Appreciate it.
CHRISTIAN PORTER: Thank you, David. Cheers