George Newhouse and Duncan Fine 

Australian companies don’t value keeping our data safe because they have little to lose. Our laws need to change that

Our nation’s data security practices have been so sloppy that recent major data breaches could have been avoided with simple protections
  
  

Optus apologises with Sorry sign after cyberattack
‘Businesses make money and are more profitable when they take and use your personal data. Some make money by selling your details to others.’ Photograph: Richard Milnes/REX/Shutterstock

Few would disagree with the view that the world has changed more in the last 20 years than it did in the 2,000 years before that.

In today’s connected world, breaking news is streamed live into the palm of our hands in seconds. The dark side to that connectivity is that the minute details of our personal lives are increasingly collected and stored by governments and corporations.

Many of us are disturbed to see significant data breaches of our personal details and sensitive health data. It is clear that the system is failing and Australians need much stronger protections to guard their data.

Over the last weekend our team have spoken to people affected by the latest Medibank data breach. Some complained about their personal data being used to access bank accounts but many of us don’t realise the broader impact of this leak.

Some individuals are living in fear for their lives if their addresses are made public, others fear public ridicule, the loss of their employment and relationship break downs if their sensitive medical information is made public. Some are at risk of being blackmailed if their HIV status or other health information is made public.

We have had to suggest 24-hour security for some Medibank members who have a high public profile and whose home address is strictly confidential.

Like many corporations, Medibank promises to store members information securely and to have a range of security controls in place. They claim that their employees and contractors regularly receive targeted privacy training.

They claim to keep personal information for only as long as it is required in order to provide their members with products and services or to legitimately comply with their business and legal obligations. But we know of some Medibank customers whose policy expired 10 years ago who have been notified that their data was included in the breach.

How did this happen? One reason is that Australian privacy law is weak and our laws don’t motivate corporations and governments to take cybersecurity seriously.

That’s because they have little to lose themselves. This is a market failure that requires regulation. Businesses make money and are more profitable when they take and use your personal data. Some make money by selling your details to others, but because there is little downside, they don’t value the loss of your data.

Data security costs money and requires commitment. While some international cybercriminals are becoming more technically adept, our nation’s data security practices have been so sloppy that recent major data breaches could have been avoided altogether if simple practices like multi-factor authentication were in place.

The Morrison government sat on a Privacy Act review for two years. Now is the time for action. The Medibank, Optus and NDIA mass data breaches demand urgent rights-based change which could be summarised in a five-point plan, including an individual right:

1. To make informed decisions before consenting to the use of your data.

2. To know when your data may have been accessed or misused.

3. To sue when your data has been accessed or misused.

4. To withdraw your consent to the use of your data.

5. To demand removal of your data from databases, including automatic removal when no longer required by law.

When a data breach occurs not all corporations are open with those affected, they rely on secrecy and confusion about what information has been taken to either fail to notify or to delay notifying individuals affected.

The Privacy Act just doesn’t encourage the prompt and efficient notification of data breaches. We’re not aware of any organisation being penalised for failing to notify a data breach since the Privacy Act was passed in 1988.

In the UK an individual can sue for a breach of their privacy. In Australia many corporations rely on judicial uncertainty about consumer rights to minimise the risks to their bottom line. This is one of many weaknesses of our system that must change.

Indeed, one of the recommendations in the government’s Privacy Act review is to legislate a common law right to sue for an invasion of privacy.

How many of us have ticked a box to allow a cookie on our computers not realising that allows the collection and commercial use of your personal data? That’s not informed consent and it must stop.

Individuals need to understand what personal details of theirs are being harvested and how they will be used by businesses or governments, and they need to have the right to withdraw their consent to the use of their data.

Additionally, businesses should be forced to delete data when it is no longer required or when individuals demand that their data is removed from databases.

It’s convenient for Australian companies to cry that they are the victims of a global hacking war. But that is a distraction from the urgent need for those companies dedicate security and IT resources to protecting our data.

The world is fast and connected but the absolute safekeeping of sensitive personal data safe is critical to business survival in the 21st century. A rights-based approach might just encourage that change.

• George Newhouse is an adjunct professor of law at Macquarie University and a member of the legal team put together by Bannister Law Class Actions and Centennial Lawyers to investigate a class action into the Medibank data breach.

• Duncan Fine is a solicitor and writer and a member of the legal team put together by Bannister Law Class Actions and Centennial Lawyers to investigate a class action into the Medibank data breach

 

Leave a Comment

Required fields are marked *

*

*