Big hacks raise questions about why troves of valuable data remain online for years. What are the rules on this? And how easy is it to hit delete on your digital details?
Sensitive information about medical procedures and treatment history. Passport details. Medicare numbers. It’s the kind of information that’s been laid bare for thousands of Australians through data hacks over many years – none so large-scale as the information thefts from private medical insurer Medibank and allied companies, and from telco Optus, in 2022, which threw a spotlight on our vulnerability in the age of digital data gathering (and keeping).
After any hack becomes public, there’s a rush among those hacked to change ID documents, lock down accounts or brace for any further damage, while those not affected fret it could be them next.
But what then?
Big hacks raise questions not only about how and why attackers break into a company’s systems – but what troves of valuable data are doing there in the first place. Why are companies holding on to our data for so long? Why don’t we have a “right to be forgotten” like the citizens of Europe? And what recourse do we have if we suddenly find our sensitive information is scattered around the dark web?
Credit:Artwork Aresna Villanueva
What information about you gets stored?
Companies hold all sorts of details about you, from your age and ethnicity to, say, your passport number and your computer’s IP address. In most cases, you’ve handed that over voluntarily, say by applying for services or proving your identity.
Other data is collected without you knowing: technical information from your device (phone model, preferred browser, location) and public details from your social media profiles (your friends, your pets, your interests). Some companies will share or sell this information, although it’s often de-identified so less relevant if you’re worried about your life being exposed.
The likes of banks and insurers have public-facing privacy policies that mostly say the same thing: your data is stored to identify you as a customer and to enable you to carry out your business with the company, and it’s used to improve services and stop fraudulent activities as well as to comply with legal obligations and perform analytics (crunching all the data together to come up with insights about customers generally).
It’s safest to assume that this information will be not only stored but may be linked with other bits and pieces you’ve handed over.
A company’s privacy policies can be less available with smaller or less-regulated outfits. Does your local real estate agency follow best practice when it comes to storing all those personal tidbits you supplied in your rental application? What happens when a retail worker asks for your email address to send you a receipt? Or when a random app you’ve installed collects your date of birth?
It’s safest to assume that this kind of information will not only be stored but may be linked with other bits and pieces you’ve handed over. It may also be shared or combined within networks of companies, which is how AHM customers found their details caught up in the Medibank breach.
For how long do companies store your details?
Essentially, as long as they like. There’s not really any Australian law that demands data be deleted after a certain time, only that companies must consider doing so. There are, on the other hand, plenty of guidelines and incentives that encourage companies to hoard.
For example, companies are obliged to hold certain records for seven years under both the Corporations Act and the Anti-Money Laundering and Counter-Terrorism Financing Act. And telcos have to retain certain data about you and your services for at least two years.
But stuff about you is more than likely kicking around for longer than that.
If you have a mortgage, for example, companies are encouraged to not delete related data until seven years after the loan is completely paid off; yes, that’s potentially decades. It’s a similar story with medical records; health companies in most states are obliged to hold on to data from patients for at least seven years after the final entry in their record, even if that’s ages after the first entry.
“Often organisations won’t name the piece of legislation they’re complying with. It’s just a bit of a nebulous ‘we need to’, and it also happens to be financially convenient.”
How come? Partly for law enforcement. If someone commits fraud, or a significant theft, or is laundering, or supporting terrorism, these laws are designed to ensure their paper trail is there to follow. Companies obviously will not know in advance which people are going to be the subject of criminal investigations, so they’re encouraged to hang on to everyone’s data. The downside is that a lot of information about you can be sitting around in the same place for a long time.
Many companies also hang on to the data because it benefits them, says Kathryn Gledhill-Tucker, vice-chair of non-profit Electronic Frontiers Australia. Customer demographics and behaviour, purchase history and preferences are very useful in marketing and refining products.
“We have both a legislative and financial system that encourages the hoarding and over-collection of data,” she says. “Often, organisations won’t name the piece of legislation they’re complying with. It’s just a bit of a nebulous ‘we need to’, and it also happens to be financially convenient.”
Credit:Artwork Aresna Villanueva
Can you be ‘forgotten’ if you ask to be?
In Europe, there’s a legal “right to be forgotten” as part of the General Data Protection Regulation (GDPR), which was the toughest set of privacy rules in the world when it was introduced in 2016, and continues to be a high watermark that privacy advocates measure against. Once a customer informs a company that they’re withdrawing their consent, the company has a month to wipe all traces. In Australia, there’s no such right of erasure. The federal privacy law says entities must take “reasonable steps” to delete data once it is no longer needed, and there are similar requirements at a state level. But it’s up to that “entity” to decide whether they still “need” your data.
Companies are often given legal advice to keep your data for longer than the minimum timeframe, especially if there’s any risk it could be useful in legal proceedings. It’s possible, for example, that a former customer could make allegations more than seven years after their dealings with a company, and the company would want evidence of what occurred.
Even in the European system, companies can balance their responsibility to delete data with their need to keep back-ups.
In any case, some companies are simply not set up to be able to delete user data. Your data can be stored across several locations, or might have been passed to third parties, or could be locked in historical back-ups that can’t be edited and would be expensive to hunt down – all of which makes it extremely difficult to delete even if a company wanted to.
Even in the European system, companies can balance their responsibility to delete data with their need to keep back-ups. They might delete a customer’s data from their live production systems but tell them their data will remain in back-up until it eventually expires. So if Australia instituted a right to be forgotten, it would still be possible for your data to hang around for years, then for you to request it be deleted and for the company to comply – only for criminals to access your information via back-ups.
What can you do if your data has been stolen?
Once data has been downloaded or spread by criminals, there isn’t much anyone can do to contain it. It’s out there. But there are some basic digital-hygiene first steps people can take after a breach, says Scott Leach, Australian vice president of global data security company Varonis. “If your data has been compromised, are you using that same username and password to get access to other websites as well? If so, then you should be looking at changing passwords across all of those sites,” he says.
“The modern password managers are pretty well integrated with operating systems, so you can really use them pretty seamlessly.”
Even if the breached data doesn’t include passwords, criminals can use a combination of data to attempt to access your accounts and, once they’re in, it can be easy for them to get into other accounts that use some of the same information. By activating two-factor authentication on as many accounts as possible, and by using a password manager to keep a strong unique password for each one, you have the best chance of limiting the damage.
“Back in the early days, password managers tended to be a little bit complex, and a little bit cumbersome – you kind of had to open up separate applications in order to be able to pull up your passwords,” says Leech. “The modern ones are pretty well integrated with operating systems, so you can really use them pretty seamlessly.”
And keep in mind that criminals will use data about you to craft elaborate and convincing scams. “You could get a call from somebody who potentially knows your name, or knows your address. If we’re talking about things like [breached beverage seller] Vinomofo, they might know what sort of wine you’ve been buying,” says Leech.
No matter whether it’s a call, email or text message, always be wary of giving any information or clicking any links. Instead, contact companies through verified websites or phone numbers.
What about compensation?
Australian law does not include automatic compensation for victims of data breaches, and, in general, it’s up to companies to decide what’s appropriate. In the case of Optus and Medibank, the companies have set up dedicated support channels, organised complimentary credit monitoring services, and offered to reimburse the cost of things such as replacing ID documents.
However, if a company is found not to have taken “reasonable steps” to protect the information in the first place, it could face penalties under the Privacy Act, including having to compensate customers. So far, that’s been exceedingly rare in Australia, but law firm Maurice Blackburn believes the string of high-profile breaches in 2022 could result in payments that set an important precedent.
The company has launched so-called representative complaints for both the Medibank and Optus breaches, meaning the Office of the Australian Information Officer (OAIC) will investigate the companies for violations of privacy law, and may order compensation for all affected customers.
“The particulars of the failures that we allege are different in each of the cases,” says Maurice Blackburn’s Andrew Watson, a class actions specialist, noting that public reporting has already indicated potential failures but that the OAIC may illuminate more. “For Optus, it seems as though from public reporting, that the breach occurred through what’s known as an open API. The information that we have suggests that there is no way there that that should have been open. In the case of Medibank, there’s a range of things which seem to suggest that there’s been a breach of the privacy principles there.”
Both Medibank and Optus have commissioned forensic investigations into the breaches, which are still ongoing.
Watson says the obligation to protect data is stricter depending on how sensitive the data is, so the fact that hackers were able to break in and stay undetected long enough to grab medical information (in the Medibank case) and ID numbers (in the Optus case), which they were able to publish in unencrypted form, potentially indicates a failure to take reasonable steps. “One of the things [stated in the Act] is that there’s also a specific obligation for corporations to consider whether they need to keep data, or whether they should delete it, or de-identify,” he says. “And so, separate to the breach involving actual access to the data, we’re also alleging that for a range of people there’s been a breach in relation to the fact that the data was being kept far longer than it needed to be.”
An Optus spokesperson says there is no basis for Maurice Blackburn’s assertions. “Optus is working co-operatively with the OAIC in relation to its ongoing investigation. Maurice Blackburn has not commenced legal action and Optus will strongly defend any such action if it is commenced,” the spokesperson says.
A Medibank spokesperson declined to comment.
Both Medibank and Optus have commissioned forensic investigations into the breaches, which are still ongoing.
Anyone affected by the Medibank or Optus breaches may be automatically eligible for compensation through these actions, although Watson encourages people to register at Maurice Blackburn’s website. Slater Gordon has also lodged a claim related to the Optus breach.
Do the laws on this need changing?
Following the Medibank breach, the federal government changed the law so that Australia now has some of the world’s steepest financial penalties for companies that allow serious or repeated privacy breaches. The maximum penalty was $2.2 million but is now whatever is the greater of these: $50 million, or three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.
But Watson says Australia’s privacy law is undeveloped by world standards and we need a GDPR-style set of legislative rights as well as a clear mechanism for individuals to claim compensation through the courts. Current claims are made by law firms through the OAIC because that’s the only avenue that will likely result in customer compensation. Unlike other countries, Australia does not let people sue in court directly for privacy breaches.
“With so much of our data stored with corporations, it’s absolutely critical that where those corporations don’t do a proper job there are effective remedies.”
“Australian consumers and citizens need an enforceable privacy right, which they can seek compensation for the breach of through the courts, and the sooner that happens the better,” he says.
“The way that society’s developed, and with so much of our data stored with corporations, it’s absolutely critical that where those corporations don’t do a proper job there are effective remedies.
“We should also contemplate things like having minimum damages amounts for certain kinds of breach.”
Gledhill-Tucker agrees a GDPR-style system would be a good start. “We really do need legislation that has teeth, that discourages over-collection and discourages keeping data for longer than you really need to. That’s what we’re hoping is going to come out of the current Privacy Act review,” she says. “Recent privacy reforms, which came out very quickly after the wave of breaches we’ve seen, address things like fining organisations but it doesn’t help the individual. There’s very little that we can do as individuals to recoup that loss. And that’s something that individuals have under GDPR, that kind of individual right of action.”
And while it may not be possible to stop sophisticated hacking groups – particularly from overseas – attacking Australian businesses and extracting data, the federal government believes it can strengthen our digital borders with a new cybersecurity strategy and a new team of online police that will “hack back”.
“Our government’s view is that Australia faces the most dangerous set of strategic circumstances since the Second World War and those circumstances are having a real impact on Australians even when they are at home,” said Home Affairs Minister Clare O’Neil in December.
“The cybersecurity strategy will help Australia bring the whole nation into the fight to protect our citizens and to protect our economy.”
Sign up for our Explainer newsletter – enlightening explanations for complex questions, delivered to your inbox every Sunday night.
Most Viewed in Technology
Source: Read Full Article