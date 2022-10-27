If my Medibank data leaked, this is what you would have read on some random website about me.
Pretty standard, really (except for point three. Life improved immensely).
Maybe some furious correspondence about whether Medibank was charging too much and refunding too little. Just like every other health fund.
Thing is, I'm not a Medibank customer and heaven forbid my own private health insurer ever has a catastrophe like this one because I would be on the phone to them stat. Asking lots of questions. Being very demanding.
I am boring. I am old. There is little about my life which would excite anyone (except for the know-it-alls who insisted once a caesarean, always a caesarean). Anyhow, my point is this. Millions of people were affected by the Medibank data breach and those people are in a much worse position than those affected by Optus. It's one thing to have your credit card details, it's quite another for a criminal to know your medical history.
Some of those data breach victims are in a panic right now. Because what's in their Medibank records might put their livelihoods at risk. It certainly has put their sense of personal security at risk. What of survivors of domestic violence who've escaped abusive partners? Must they again fear those words, "I'm coming to get you"?
What I want is retribution, I want every single company that inconveniences Australians, catapults their lives into freaked-out turmoil to be punished. And I want justice, including financial justice, for individuals. And Malcolm Crompton, a previous privacy commissioner and founder of privacy and cybersecurity consultants IIS Partners, is with me. He wants companies which lose our data to pay us for the time we have spent while we queue, either in person or on the phone. By the time these companies have finished paying the government and finished paying us, they might learn the value of doing their job properly.
"We should be compensated for the waste of our time," says Crompton. "Otherwise, the company takes the gain and everyone else takes the losses."
We share the most valuable asset on the planet with strangers who don't look after it properly. Crompton asks how we can make sure those strangers do a good job and meet the full costs of doing so. Fines, yes. Frequent, thorough audits of their practices. But there is more the government could do to make sure we are safe. It should invest in the Office of the Australian Information Commissioner. I don't mean just the sweet little $5 million top up it got on Tuesday night. I mean the kind of investment we only ever really see in infrastructure.
Thing is, data is our infrastructure. And unless we have a Privacy Commissioner who has the firepower to find, catch and fine, none of this new bill will matter at all. Crompton says the $5 million just made him angry. He says he pointed out the extreme underfunding of the office during his term, from 1999 to 2004. Now he says it is extremely unlikely for the office to be able to pursue companies in breach if it can't fund that pursuit.
"If the government had announced $50 million, that is getting to the right order of magnitude," he says. "If your regulator is toothless, it doesn't matter what the law says."
There has been a lot of chat about what individuals can do to protect their privacy. It's a lot. Two-factor authentication. Strong passwords changed frequently. Don't click on links you don't expect. Don't answer the phone to numbers you don't recognise.
But all of this is really not useful to us right now because it wouldn't have protected us from the Optus utter chaos or the Medibank neutron bomb. This is not our fault. It is the fault and final responsibility of Optus and Medibank.
La Trobe University's Jabed Chowdhury, who specialises in cyber security, says Australia's laws and policies are nearly there but a little sloppy around the edges.
"And we really lack enforcement," he says.
Chowdhury believes that's about to change. His view is the new Minister for Cyber Security Clare O'Neil has been impressive, strong in her opinions. She called out Optus for its faffing baloney.
Chowdhury himself is completely baffled by Optus's incompetence, what he describes as a simple attack. Perhaps Optus was too lazy to identify security holes in the first place, he suggests.
How do we get business to take our privacy and the security of our data seriously? Only one thing will work. Name. Shame.
And, let me paraphrase, fine the bastards.
No new laws, changes to laws or strong words from the minister, will have any influence without exemplary fines, says Chowdhury. The European Union whacks business up to 20,000,000 euros (about 30 million bucks) and it's already imposed massive penalties. Excellent. Business forced to pay for its messes. News that Medibank has somehow allowed the data of millions of Australia to escape from its protection comes just as the Attorney-General Mark Dreyfus brings in the enforcements with his Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
Oh my goodness. What bliss. What joy. What utterly perfect timing. It allows increased penalties under the Privacy Act and gives the Australian Information Commissioner greater enforcement powers. Big fat ones. $50 million or 30 per cent of adjusted turnover for the relevant period.
Penalties - now we're talking. Enough of the gentle slaps on the wrist. But we can't do that without a regulator with enough government support to make it all happen. And there must be new rules on how long companies can keep our data.
With their sloppy management, just five minutes might be enough to keep us safe.
Jenna Price is a Canberra Times columnist and a visiting fellow at the Australian National University.
