Having the majority of our life online puts our information at more risk than ever. From social media to online shopping, companies collect and store a significant amount of our personal data. Sensitive data such as bank details, important passwords, and identification information can be damaging in the wrong hands.
In the latter half of 2023, 483 data breaches were notified in Australia, according to the Office of the Australian Information Commissioner (OAIC). This is up by 19 per cent from the first half of the year. Malicious or criminal attacks were the leading cause, responsible for over half of the breaches.
This leaked data can be used by scammers, particularly in phishing scams that try to hack your accounts.
In 2023, Australians lost over $2.7 billion to scams, so it’s not just getting hacked that you need to worry about following a breach. This has been a particular concern for super funds, with criminals targeting members to get access to their accounts to swindle retirement funds.
But you have rights around how your data is handled, and there are requirements companies must follow. And if you’re not sure if your data has been stolen? You can use a site like Have I Been Pwned to see if your email appears in any known data breaches.
What do companies have to do to keep your data safe?
Under Australian law, particularly the Privacy Act 1988, companies have obligations to protect the personal information they collect and use.
Key responsibilities include:
Collecting data fairly and lawfully
Companies must collect personal information in a fair and lawful manner. This means they need to inform you about what data they’re collecting, why they’re collecting it, and how they plan to use it. For example, if you’re signing up for a newsletter, they should tell you that your email address will be used to send updates.
Ensuring data quality and security
Companies are required to ensure that the personal information they collect is accurate, up to date, and complete.
They should also take steps to protect the information from being:
- misused
- interfered with
- lost
- accessed without authority
- modified
- disclosed.
To achieve this, companies may use secure servers, encryption and carry out regular security audits.
Allowing access and correction
You have the right to access the personal information a company holds about you and request corrections if it’s inaccurate, incomplete, or outdated. Companies must respond to these requests within a reasonable time frame, no longer than 30 days.
Being transparent about data practices
Companies must be open about their data management practices. This includes having a clear and accessible privacy policy outlining how they handle personal information, the types of data they collect, how it is used, and who it is shared with.
Not using data beyond its original purpose
When a company collects your data, it should only use it for the specific purpose for which it’s been collected – unless it has your consent or there’s a legal obligation to do so. For instance, if you provide your details for a purchase, the company shouldn’t use that information for marketing purposes unless you have agreed to it.
Data breach notifications
This is an important one: if a company experiences a data breach, it needs to tell anybody who’s had their data compromised as well as the OAIC. In theory, this then means anybody affected can take steps to protect themselves, such as changing passwords or monitoring accounts for suspicious activity.
How can you protect your finances if your data’s been leaked?
The financial repercussions of a potential breach are one of the biggest concerns, and banks have tightened their own security measures significantly over recent years. But it pays to be vigilant; make sure you report any suspicious activity on your account as soon as possible, or freeze your account if you suspect you have been the victim of a breach.
The most important step is to speak to your bank – or other financial institution – if you think you’ve been scammed. Sometimes they may be able to help recover the funds.
Be aware: don’t feel embarrassed if you have been scammed. Data breaches and scams happen to us all. The more people report, the more banks and other organisations can work to identify the criminals.
There are a few sensible steps you can take to minimise the risk of being scammed. This won’t always stop the scammers but it will make it harder for them.
Be cautious about sharing personal information
Only provide personal details when absolutely necessary and ensure the website or service you are using is trustworthy and secure. If you’re not sure, phone the company back to verify.
Use strong, unique passwords
Avoid using the same password across multiple sites and services. Consider using a password manager to keep track of your passwords securely. Combine this with additional verification to make your accounts as secure as possible.
Enable two-factor authentication (2FA)
This adds an extra layer of security to your accounts by requiring not just a password but also a second form of verification, such as a code sent to your phone.
It’s a good idea to use 2FA for financial transactions through online banking too, to give you an added level of security, and for your superannuation account.
What can you do if your data isn’t handled properly?
So what happens if you’re one of the millions of Australians caught up in a data breach in recent years? Here are your rights and some steps you can take:
Contact the company
Reach out directly and explain your concerns. Plenty of bigger companies will have customer service representatives who will be able to help. If they have already contacted you, follow their instructions.
Complain to the OAIC
If you’re not satisfied with the company’s response, file a complaint with the OAIC. They can investigate and, in some cases, impose penalties.
Seek legal action
The general rule is that individuals can’t sue for data breaches, but there are exceptions. The company has 30 days to respond once you lodge a complaint with the OAIC. If you’re still not satisfied, then you may want to speak to a lawyer (but be aware this can cost).
Join a class action lawsuit
If a breach affects a lot of people, it might generate a class action lawsuit that allows a group of individuals to sue collectively.
Data breaches and scams are now, sadly, a way of life for us in Australia. But being savvy about how you use your private information and taking steps to protect your finances could make a difference between being targeted or avoiding a scam.
It also pays to know your rights under the Privacy Act. Being informed about what companies are obligated to do may help you hold them accountable if your data is mishandled.
Have you had your data stolen? What did you do? Share your thoughts in the comments section below.
Also read: The data breaches affecting Aussies in 2024 so far
