Giving Australians the right to force the removal of their personal details from company databases would help combat the growing impact of mass data theft, experts say.
More than 25 million customer accounts have been exposed in just three cyber attacks involving major companies in Qantas, Optus and Medibank.
University of Queensland cyber security expert Ryan Ko says the number of Australians exposed to the risk of cybercrimes such as identity fraud or extortion is “increasing by the day”.
“There’s no way you can tell how the leaked information is going to be used,” he said.
“Basically you’re just a sitting duck.“
University of Queensland professor Ryan Ko says the “right to erasure” would allow people to hold companies to account for how they handle their sensitive personal information. (Supplied)
Professor Ko says there is no end in sight to these mass data heists.
He says that is because highly-organised and opportunistic cybercriminal gangs — some of them state-backed — are well-placed to sniff out the weaknesses of most Australian companies whose “current practice and governance structures [are] not set up to be cyber-resilient”.
This is despite Australia ranking as the world’s number one state in cyber defence, according to a Harvard University report in September 2022.
That same month, about 9.8 million Optus customers learned that hackers had accessed their sensitive data including names, birth dates, and in some cases home addresses and passport numbers.
In Queensland alone, the state government had to replace more than 178,000 driver licences.
The hackers exploited security flaws including a publicly available application programming interface.
The next month, hackers targeted Medibank with a ransomware attack, threatening to release the medical records of 9.7 million people on the dark web.
The hackers allegedly swiped an IT staffer’s sign-in credentials from his private computer, exploiting Medibank’s lack of safeguards such as multi-factor authentication, and its alleged failure to act on alerts and warnings from consultants about system weaknesses.
Watchdog investigations take years
The 2022 breaches exposed the details of not only current but also former customers of both Optus and Medibank.
Qantas claimed to have learned from these earlier scandals by deleting old customer data.
But last month it suffered an attack via its call centre in the Philippines, which exposed details of 5.7 million current Frequent Flyer customers.
More than a million people came to learn these included their addresses, reportedly including a federal MP who criticised Qantas for not being “upfront about the extent of personal details accessed at the start”.
The airline yesterday said it had found no evidence yet of stolen data being released but was “actively monitoring”.
It took out an interim injunction in the New South Wales Supreme Court to “prevent the stolen data from being accessed, viewed, released, used, transmitted or published by anyone”.
Corporate accountability in Australia — and the prospect of people being compensated for harm by sharing in penalties on corporations that fail to protect their sensitive data — can be a long time coming.
Optus’s full page advertisement in The Australian newspaper on October 1, 2022. (ABC News: Dannielle Maguire)
The federal government watchdog, the Office of the Australian Information Commissioner (OIAC) is still investigating the Optus breach almost three years on.
The Australian Communications and Media Authority sued Optus in the Federal Court with the matter still ongoing.
The OIAC’s pursuit of penalties against Medibank also remains with the Federal Court.
And there are several class actions by law firms against Medibank which remain on foot.
The 2022 breaches did spur privacy reforms by the federal government in December, including greater powers for the OIAC, which can now hit companies with fines of up to $50 million for serious breaches (up from $2.2 million).
A way to ‘take back control’
With regulator crackdowns and legal battles taking years, some experts say there is another proposed reform to address public distrust of companies holding their personal information.
This is the “right to erasure”, which would allow people to force companies to explain what personal information they hold, what they do with it, and to delete or de-identify that information.
Privacy experts such as University of New South Wales academic Katharine Kemp have argued that companies use a “self-serving” interpretation of current guidelines to collect as much customer information as they can, use it for more and hold it for longer.
The right to erasure, which has been in place in Europe since 2018, would help stop damaging data hacks, they say.
And it is a right that 90 per cent of Australians support, according a 2023 survey of about 1,600 people by the OIAC.
Technology lawyer James North says he’s no privacy advocate — but giving people more control over how companies use their data can help address the fallout of data breaches.
James North, who heads the technology practice at law firm Corrs Chambers Westgarth, says there is “a growing sense in the community that … people want more control over their data”.
He says people have the right to “have the data about you corrected … but you don’t have an explicit right to say, ‘Don’t use my personal data'”.
“So that reform would give individuals more control over their data,” Mr North says.
“I’m obviously not a privacy advocate, I work for big clients and assist them to comply with laws.
“But data minimisation, not collecting data that’s not required for identity checks for example, and having these avenues for consumers to understand what information companies have about them and making sure that it’s appropriate — and for companies to delete information when it’s no longer required — it’s much better than having a breach and then a class action.
“That’s in no-one’s interests.”
Removing a ‘honey pot for cybercriminals’
Professor Ko says the reform would be “a great move, and a great direction, especially given the fact that individuals can hold companies or organisations to account”.
“In terms of implementation, if it’s just within an organisation, the right to erasure is actually technically possible,” he says.
“It also gives the organisations an opportunity to look into how to communicate that with customers, like, ‘If we collect your data, it’s used for this, and when you’re no longer a customer with us, we’ll be deleting this, and you know you can call us’.
“It’s a good system and a good practice to have and it also reduces the chance of your organisation being a honeypot for cybercriminals.“
Government ‘taking time’
Michelle Rowland is working on reforms including the proposed right for people to force companies to delete their personal information. (AAP: Mick Tsikas)
The Albanese government agreed “in-principle” to the reform in 2023, subject to exceptions in the public interest, including for law enforcement and national security.
A spokesman for Federal Attorney-General Michelle Rowland says the government is “aware of the significant impacts of data breaches on people whose personal information has been compromised, often without their knowledge, and is committed to protecting the privacy of all Australians”.
He says the government is “continuing work on a further tranche of reforms”.
But he declined to say when it planned to introduce them – or whether they would include a right to erasure.
“The government is taking the time needed to get the balance right between protecting people’s personal information and allowing it to be used in ways that benefit individuals, society and the economy,” he says.
“We know this is a complex policy area and engages a wide range of stakeholders with diverse perspectives and interests.”
Click Here For The Original Source.
