[roenxi]

> The one doesn't excuse the other; if you're required to keep this data you should be treating it with the respect it deserves.

It kind of does. If Optus hires worlds most competent security person, the first comment on this subject would be "there is no commercial or technical upside to storing this data, and massive risks if it leaks. We should delete it immediately".

If the government swoops in and bans them from fixing the problem, it is a bit weird for the government to also penalise them for not fixing the problem. Optus is legally barred from putting an engineering solution in place to remove this risk.

Literally the only two outcomes here for Optus are:

Option 1 - wasted storage fees.

Option 2 - international scandal.

They aren't allowed to pick any other option. It isn't fair to get angry at them for a rather predictable outcome of spreading PII around. Sure with hindsight they could have done a better job of sticking to the first outcome, but seriously if they had the choice it would have been option 3 - take money, ask no questions. Maybe store a credit card number, maybe just use Paypal like a normal merchant.

[Dylan16807]

They're not barred from transferring the data to an offline archive after a week.

[roenxi]

But they do have to make it available to be accessed quickly and cheaply. Plus maybe the police have requirements that it can be accessed in bulk quickly and cheaply.

Anyway, point being, this is demanding Optus be good at something they never signed up for, don't want to be good at. It really sits with the government to decide how the data should be stored and to taxpayers to stump up the money to store it. Optus shouldn't be lumped with this sort of silly responsibility. They don't want it, don't need it and apparently aren't good at dealing with it.

[Dylan16807]

> But they do have to make it available to be accessed quickly and cheaply.

Define quickly, what does the rule say? Is a day not fast enough?

> Anyway, point being, this is demanding Optus be good at something they never signed up for, don't want to be good at.

They already should be good at protecting data. This is making them protect somewhat more important data than they otherwise would, but it's not demanding any new skills.