Calls for Stronger Data Protection in the Wake of High-Profile Data Leaks
Optus, Medibank and My Deal (a subsidiary of Woolworths) have all suffered massive data breaches in recent weeks, affecting millions of Australians.
What’s transpired, in the wake of these cyber crimes, is that Australian data protection laws not only enable companies to take a ‘reactive’ approach rather than a ‘proactive approach’ to data breaches, but that the laws also fail miserably to protect consumers.
Consumer advocates and technology experts have all weighed in on the debate in the wake of these massive cyber breaches, and the anger and frustration of the consumers affected has been palpable.
Of course, you can’t make a simple online transaction these days without the requirement to hand over some personal identifying information. And in the digital age, data has become a commodity.
Everyone is vulnerable
But the recent cyber attacks show just how vulnerable companies and government organisations are, and the devastating impact that data breaches can have on individuals.
Millions of Australians affected by the Optus data breach had names, email addresses, phone numbers and in some cases drivers’ licences and passport information stolen.
The Medibank Hack
In the case of the Medibank breach, sensitive healthcare information was also taken, along with identifying information such as names and birthdates, and in some cases, financial information.
Those who claim to be responsible for the Medibank hack have threatened to use the information as extortion, demanding a big payout.
This has put Medibank in a very difficult position because even it did pay up in exchange for the data to be returned, there is no guarantee that the information wouldn’t be sold in any event on the dark web, or that it will come back in pristine condition, not corrupted or riddled with ransomware.
The threat of identity theft is very real and difficult to recover from
There are endless possibilities and all of them spell bad news for individuals caught up in the mess.
Identity theft is real, and it is very difficult to recover from. If you have your identity stolen people are able to commit crimes under a false persona and this can potentially lead to a wrongful arrest.
It also makes people vulnerable to financial fraud – thieves wracking up large debts, or stealing money from bank accounts, or taking out loans, all in someone else's name.
What does the law say?
In Australia, under Federal Legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 eligible businesses must notify the Australian Government via the Office of the Australian Information Commissioner (OAIC) if a serious data breach has occurred.
Failure to comply can result in fines of up to $1.7 million for companies, which some might argue is a simply a ‘slap on the wrist’ for large corporations such as Optus.
Draft legislation, the draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 proposes higher penalties for organisations, but the problem as identified by recent data breaches, remains much the same – a company’s obligations do not extend beyond reporting and taking reasonable steps to assist consumers.
But a significant onus remains on individuals to protect themselves, even though we all place significant trust in companies to manage and protect our information.
The Privacy Act 1988
Under the current Privacy Act 1988 (Cth), individuals do have the right to make complaints to the Privacy Commissioner if they believe that their privacy has been breached by an organisation, and the commissioner has the power to investigate and determine an appropriate outcome, including compensation. But this process has been labelled as ‘slow’ and ‘cumbersome’.
Questions about whether it needs to be updated to more adequately reflect the fast-paced technology-driven environment we all live and work in, need to be asked.
There are a number of investigations underway into Optus, and there is a possibility these may lead to law reform, and also the possibility that Optus could end up paying hefty fines, if it is found to have breached any of its responsibilities.
The Australian Federal Police has specialist units investigating each of these cyber-crimes in the hope of catching those responsible.
But for now consumers are taking matters into their own hands. Two law firms have already been investigating the possibility of class action against Optus, and those affected are invited to sign up. Other class actions may follow suit.
Need Legal Advice?
Andrew offers a range of criminal law services and he can guide you through your legal matter whilst working towards the best outcome for your case.
Call Now: (08) 9278 2575
This post is informative only. It is not legal advice. If you have a specific legal matter you’d like to discuss, please contact us.
PLEASE NOTE: The material in this blog post is for informational use only and should not be construed as legal advice. For answers to your questions regarding this or other topics, please contact a professional legal representative.