Editorial
Cost of complacency: We must compel corporations to take data protection seriously
As our lives have become increasingly digitised, we routinely allow businesses to have our personal information and track our online activity. It now seems almost equally routine to read that the safeguards major corporations place around this data have been breached, whether it is the result of malicious hackers (Optus, Qantas), errors in data handling (Telstra) or employees abusing their access to private information (American Express).
These breaches have the potential to affect millions of Australians. And they are part of a growing trend. Abigail Bradshaw, the director-general of the Australian Signals Directorate, said recently that the agency had responded to 1200 cybersecurity incidents in the latest financial year – up 11 per cent – and notified critical infrastructure entities about potential malicious activity affecting their networks 190 times, more than double the figure for the previous year.
More could be done to protect Australians from data breaches.Credit: Bloomberg
But the sanctions companies face for failing to protect data suggest that the threat is one we’re prepared to live with, an accepted price of doing business online.
This month, in a first for this country, the pathology services provider Australian Clinical Labs was ordered by the Federal Court to pay $5.8 million in penalties over a data breach that exposed the personal information of 223,000 people. The Office of the Australian Information Commissioner (OAIC) hailed the decision as “an important turning point in the enforcement of privacy law … in line with the expectations of the public and the powers given to the OAIC by parliament”.
This week, our investigative reporter Charlotte Grieve has turned the spotlight on another OAIC investigation, involving financial giant American Express. While that investigation is still to be concluded, we are entitled to ask whether a penalty in the low millions of dollars is likely to change behaviour at a company with net income in the billions.
This masthead has often reported on the increasing sophistication and scale of cybercrime, a problem the rise of artificial intelligence is only going to exacerbate. But the American Express case also suggests that some of the lapses are as simple as a failure to track all employee logins within an organisation, which surely belongs in the category of Online Security 101.
Grieve’s reporting on the American Express case also raises questions over whether the OAIC is doing enough to reassure those making complaints, with its investigation so far taking two years and the complainant saying that the OAIC cited a lack of resources in its decision not to investigate whether there had been a “notifiable data breach”, which might have justified stronger penalties.
While the OAIC has been strengthened, and there is at long last a tort for invasions of privacy, this masthead believes more could be done.
The scale of sanctions for money laundering in the financial sector has created a more co-operative relationship between government financial watchdog AUSTRAC and the banks it regulates. If major companies knew data breaches would have sizeable financial consequences, they might be compelled to improve handling of consumer data and to ensure that third parties they entrust data to, such as supplier networks, have the same safeguards in place.
For years, there has been talk of implementing a “right to erasure” of personal data in any update to the Privacy Act, and Qantas’ decision to purge old customer data following the 2022 Optus hack was telling, though ultimately it proved insufficient. The longer businesses hold on to data of their former customers, the greater the risk.
There is also the question of what data it is “fair and reasonable” to collect, as the law puts it. In 2023, then-attorney-general Mark Dreyfus said: “The Australian people rightly expect greater protections, transparency and control over their personal information.”
At present, transparency is a major shortcoming, with customers only notified if they are the subjects of a breach. But if companies had to report breaches to a public record, would this focus both their response and consumer awareness?
It is now possible for both corporations and criminals to aggregate massive amounts of information about our activities and preferences with a view to monetising them, in what some people call “surveillance capitalism”. A sinister example was on display this week, when it became clear that public figures including Prime Minister Anthony Albanese had had their contact information published online.
As Tom Sulston, head of policy at lobby group Digital Rights Watch, pointed out: “The worst thing that’s probably going to happen to [Albanese] ... is he’ll get a few prank calls, and then he’ll have to get a new phone number ... but if you’re someone who’s getting out of domestic violence, your address is leaked, that could be literally fatal.”
The latest headlines may soon be forgotten, and the problem of data protection may return to ticking away in the background. But with surveys showing nearly half of Australians have had notification of a data breach involving their information, and victims of cybercrime each losing an average $33,000 last year, can we really afford complacency?
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.