Organisations Should Adopt These Rules to Protect Customer Information

CommentaryNumerous data breaches, which adversely affected the public image of Optus and Medibank, continue to be widely reported in the Australian media and ruefully acknowledged by the chief executive officers of these organisations. These breaches have escalated the significance of privacy and cyber security in political arenas. These data breaches have put at risk millions of Australians who expected their data to be protected. Not surprisingly, on Oct. 26, the share price of Medibank tumbled from a high of $3.78 (US$2.42) to a low of $2.87 (US$1.84) when it returned to trading following a period of trade suspension, reflecting the dissatisfaction of its 3.8 million members. It is also ironic that Optus has been unable to protect its customers’ data, even though it indicates on its website that its cyber security and managed security services “give businesses scalable and flexible solutions against data theft, security breaches, and system failure.” Optus and Medibank failed to implement sufficient security controls to protect their customers against data theft, thereby compromising their confidential information. Unfortunately, the clamour for the protection of privacy rights is matched and stimulated by the unlimited imagination of cyber criminals, who seek to penetrate the security walls of these companies. These criminals are hard to locate and operate internationally from any country while remaining anonymous. The digital imprint of companies has a truly international dimension. Government Moves to Place Tougher Laws In these circumstances, it is not surprising that the Albanese government is now planning the adoption of a law that provides for tougher penalties for egregious data breaches. In a move supported by the opposition, the government intends to significantly increase penalties for serious privacy breaches. Medibank signage sits on top of the Medibank building in Docklands, Melbourne of Australia on Oct. 1, 2014. (Scott Barbour/Getty Images) The federal attorney-general, Mark Dreyfus, indicates in his press release of Oct. 22 that “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.” It says that the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 to whichever is the greater of: $50 million Three times the value of any benefit obtained through the breach of privacy; or 30 percent of an organisation’s turnover during the period of the breach. The adoption of the legislation is welcome news for the legions of people who are justifiably concerned about the frequent occurrence of data breaches. It has reached epidemic levels and distorts the normal business operations of Australia’s major companies and government agencies. Simple Rules to Adopt The unsavoury data breaches of the last couple of weeks provide compelling reasons to adopt the following simple but effective rules when dealing with the information of customers. First, when data is collected, there has often been an attempt to also collect information that, in itself, is not necessary for the specified purposes of the organisation. Hence, it is necessary to carefully tailor the needs of the relevant organisation to the information supplied by their customers. Second, information that is no longer needed, or has become irrelevant, or is outdated, should be deleted in line with the Australian Privacy Principle 11.2. It states that an entity that no longer needs “the information for any purpose for which the information may be used or disclosed” must “take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.” A laptop computer, as seen in a file photo. (Tomohiro Ohsumi/Getty Images) Third, organisations need to ensure that customers’ consent to the collection of their information is unambiguous and constitutes a meaningful choice. In this context, customers, when completing membership forms, are often unable to proceed with their application if the “consent” box is not ticked. In such a case, the “consent” is not the expression of the free will of the customer but is merely the imposition of the relevant entity’s unreasonable expectations on the customer. This would be the opposite of consent since the application form would not allow for the exercise of true choice. The EU’s General Data Protection Regulation (GDPR) relevantly states that consent is not given “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” Fourth, organisations need to immediately adopt a two-factor identification method for that extra layer of protection for the customer. While this method obviously increases the administrative burdens for customers, it is a reasonable and proportionate protection aga

Organisations Should Adopt These Rules to Protect Customer Information

Commentary

Numerous data breaches, which adversely affected the public image of Optus and Medibank, continue to be widely reported in the Australian media and ruefully acknowledged by the chief executive officers of these organisations. These breaches have escalated the significance of privacy and cyber security in political arenas.

These data breaches have put at risk millions of Australians who expected their data to be protected. Not surprisingly, on Oct. 26, the share price of Medibank tumbled from a high of $3.78 (US$2.42) to a low of $2.87 (US$1.84) when it returned to trading following a period of trade suspension, reflecting the dissatisfaction of its 3.8 million members.

It is also ironic that Optus has been unable to protect its customers’ data, even though it indicates on its website that its cyber security and managed security services “give businesses scalable and flexible solutions against data theft, security breaches, and system failure.”

Optus and Medibank failed to implement sufficient security controls to protect their customers against data theft, thereby compromising their confidential information.

Unfortunately, the clamour for the protection of privacy rights is matched and stimulated by the unlimited imagination of cyber criminals, who seek to penetrate the security walls of these companies.

These criminals are hard to locate and operate internationally from any country while remaining anonymous. The digital imprint of companies has a truly international dimension.

Government Moves to Place Tougher Laws

In these circumstances, it is not surprising that the Albanese government is now planning the adoption of a law that provides for tougher penalties for egregious data breaches.

In a move supported by the opposition, the government intends to significantly increase penalties for serious privacy breaches.

Epoch Times Photo
Medibank signage sits on top of the Medibank building in Docklands, Melbourne of Australia on Oct. 1, 2014. (Scott Barbour/Getty Images)

The federal attorney-general, Mark Dreyfus, indicates in his press release of Oct. 22 that “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”

It says that the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 to whichever is the greater of:

  • $50 million
  • Three times the value of any benefit obtained through the breach of privacy; or
  • 30 percent of an organisation’s turnover during the period of the breach.

The adoption of the legislation is welcome news for the legions of people who are justifiably concerned about the frequent occurrence of data breaches. It has reached epidemic levels and distorts the normal business operations of Australia’s major companies and government agencies.

Simple Rules to Adopt

The unsavoury data breaches of the last couple of weeks provide compelling reasons to adopt the following simple but effective rules when dealing with the information of customers.

First, when data is collected, there has often been an attempt to also collect information that, in itself, is not necessary for the specified purposes of the organisation.

Hence, it is necessary to carefully tailor the needs of the relevant organisation to the information supplied by their customers.

Second, information that is no longer needed, or has become irrelevant, or is outdated, should be deleted in line with the Australian Privacy Principle 11.2. It states that an entity that no longer needs “the information for any purpose for which the information may be used or disclosed” must “take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.”

Hackers Compete Their Skills At Seccon Cyber Security Contest
A laptop computer, as seen in a file photo. (Tomohiro Ohsumi/Getty Images)

Third, organisations need to ensure that customers’ consent to the collection of their information is unambiguous and constitutes a meaningful choice.

In this context, customers, when completing membership forms, are often unable to proceed with their application if the “consent” box is not ticked. In such a case, the “consent” is not the expression of the free will of the customer but is merely the imposition of the relevant entity’s unreasonable expectations on the customer.

This would be the opposite of consent since the application form would not allow for the exercise of true choice. The EU’s General Data Protection Regulation (GDPR) relevantly states that consent is not given “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Fourth, organisations need to immediately adopt a two-factor identification method for that extra layer of protection for the customer. While this method obviously increases the administrative burdens for customers, it is a reasonable and proportionate protection against the misuse of their data by cybercriminals.

In the case of Medibank, using the language of the GDPR, this factor should help in the protection of “Personal data … pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.”

These precautions could turn out to be giant steps in the protection of a person’s sensitive and confidential information when it is shared with an entity.

Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.


Follow

Gabriël A. Moens AM is an emeritus professor of law at the University of Queensland, and served as pro vice-chancellor and dean at Murdoch University. In 2003, Moens was awarded the Australian Centenary Medal by the prime minister for services to education. He has taught extensively across Australia, Asia, Europe, and the United States. Moens has recently published two novels “A Twisted Choice” (2020) and “The Coincidence” (2021).