Organisations Should Adopt These Rules to Protect Customer Information

Numerous data breaches, which adversely affected the public image of Optus and Medibank, continue to be widely reported in the Australian media and ruefully acknowledged by the chief executive officers of these organisations. These breaches have escalated the significance of privacy and cyber security in political arenas.

These data breaches have put at risk millions of Australians who expected their data to be protected. Not surprisingly, on Oct. 26, the share price of Medibank tumbled from a high of $3.78 (US$2.42) to a low of $2.87 (US$1.84) when it returned to trading following a period of trade suspension, reflecting the dissatisfaction of its 3.8 million members.

It is also ironic that Optus has been unable to protect its customers’ data, even though it indicates on its website that its cyber security and managed security services “give businesses scalable and flexible solutions against data theft, security breaches, and system failure.”

Optus and Medibank failed to implement sufficient security controls to protect their customers against data theft, thereby compromising their confidential information.

Unfortunately, the clamour for the protection of privacy rights is matched and stimulated by the unlimited imagination of cyber criminals, who seek to penetrate the security walls of these companies.

In a move supported by the opposition, the government intends to significantly increase penalties for serious privacy breaches.

First, when data is collected, there has often been an attempt to also collect information that, in itself, is not necessary for the specified purposes of the organisation.

Hence, it is necessary to carefully tailor the needs of the relevant organisation to the information supplied by their customers.

Second, information that is no longer needed, or has become irrelevant, or is outdated, should be deleted in line with the Australian Privacy Principle 11.2. It states that an entity that no longer needs “the information for any purpose for which the information may be used or disclosed” must “take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.”

Third, organisations need to ensure that customers’ consent to the collection of their information is unambiguous and constitutes a meaningful choice.

In this context, customers, when completing membership forms, are often unable to proceed with their application if the “consent” box is not ticked. In such a case, the “consent” is not the expression of the free will of the customer but is merely the imposition of the relevant entity’s unreasonable expectations on the customer.

This would be the opposite of consent since the application form would not allow for the exercise of true choice. The EU’s General Data Protection Regulation (GDPR) relevantly states that consent is not given “if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Fourth, organisations need to immediately adopt a two-factor identification method for that extra layer of protection for the customer. While this method obviously increases the administrative burdens for customers, it is a reasonable and proportionate protection against the misuse of their data by cybercriminals.

In the case of Medibank, using the language of the GDPR, this factor should help in the protection of “Personal data ... pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.”

These precautions could turn out to be giant steps in the protection of a person’s sensitive and confidential information when it is shared with an entity.