Big business needs bigger penalties to ensure it protects our data

As our lives have become increasingly digitised, we routinely allow businesses to have our personal information and track our online activity. It now seems almost equally routine to read that this data has been compromised, whether the result of malicious hackers (Optus, Qantas), errors in data handling (Telstra) or employees abusing their access to private information (American Express).

These breaches have the potential to affect millions of Australians and are part of a growing trend. Abigail Bradshaw, the director-general of the Australian Signals Directorate, said recently the agency responded to 1200 cybersecurity incidents in the latest financial year – up 11 per cent – and notified critical infrastructure entities about potential malicious activity affecting their networks 190 times, more than double the figure for the previous year.

But the sanctions companies face for failing to protect data suggest the threat is one we’re prepared to live with, an accepted price of doing business online.

Earlier this month, in a first for this country, the pathology services provider Australian Clinical Labs was ordered by the federal court to pay $5.8 million in penalties over a data breach that exposed the personal information of 223,000 people.

This week, investigative reporter Charlotte Grieve turned the spotlight on another investigation, involving financial giant American Express. While that investigation is ongoing, we are entitled to ask whether a penalty in the low millions of dollars is likely to change behaviour at a company with net income in the billions.

This masthead has often reported on the increasing sophistication and scale of cybercrime, a problem that the rise of artificial intelligence is only going to exacerbate. But the American Express case also suggests some of the lapses are as simple as a failure to track all employee logins within an organisation, which surely belongs in the category of Online Security 101.

Grieve’s reporting also raises questions over whether the Office of the Australian Information Commissioner (OAIC) is doing enough to reassure those making complaints, with its investigation so far taking two years and the complainant saying the OAIC cited a lack of resources in its decision not to investigate whether there had been a “notifiable data breach”, which might have justified stronger penalties.

While the OAIC has been strengthened, and there is at long last a tort for invasions of privacy, this masthead believes more could be done.

The scale of sanctions for money laundering in the financial sector has created a more co-operative relationship between government financial watchdog AUSTRAC and the banks it regulates. If major companies knew data breaches would have major financial consequences, they might be compelled to improve how they handle consumer data and ensure that third parties to whom they entrust data have the same safeguards in place.

But it is also time for the government to bring Australia up to speed with global best practice. For years, there has also been talk of implementing a “right to erasure” of personal data in any update to the Privacy Act, and Qantas’ decision to purge old customer data following the 2022 Optus hack was telling, though ultimately it proved insufficient. The longer businesses hold on to data of their former customers, the greater the risk.

There is also the question of what data it is “fair and reasonable” to collect, as the law puts it. In 2023, then attorney-general Mark Dreyfus said: “The Australian people rightly expect greater protections, transparency and control over their personal information.”

It is now possible for both corporations and criminals to aggregate information about our activities and preferences with a view to monetising them, in what some people call “surveillance capitalism”.

The latest headlines may soon be forgotten, and the problem of data protection may return to ticking away in the background. But with surveys showing nearly half of Australians have received notification of a data breach involving their information, and the average person losing $33,000 when they were a victim of cybercrime last year, can we really afford complacency?

Bevan Shields sends an exclusive newsletter to subscribers each week. Sign up to receive his Note from the Editor.