Time to read : 4 Minutes
Having the majority of our life online puts our information at more risk than ever. From social media to online shopping, companies collect and store a significant amount of our personal data. Sensitive data like bank details, important passwords, and identification information can be damaging in the wrong hands.
In the latter half of 2023, 483 data breaches were notified in Australia according to the Office of the Australian Information Commissioner (OAIC).
This is up by 19% from the first half of the year.
Malicious or criminal attacks were the leading cause, responsible for over half of the breaches.
This leaked data can be used by scammers, particularly in phishing scams that try to hack your accounts.
In 2023 Australians lost over $2.7 billion to scams, so it’s not just getting hacked that you need to worry about following a breach. This has been a particular concern for super funds, with criminals targeting members to get access to their accounts to swindle retirement funds.
Yes, but… you have rights around how your data is handled, and there are requirements that companies must follow.
Top tip: not sure if your data has been stolen? You can use a site like have I been pwned to see if your email appears on any known data breaches.
Let's break down these responsibilities and explore the options available to you if your data is leaked.
What do companies have to do to keep your data safe?
Under Australian law, particularly the Privacy Act 1988, companies have obligations to protect the personal information they collect and use.
Key responsibilities include:
Collecting data fairly and lawfully
Companies must collect personal information in a fair and lawful manner. This means they need to inform you about what data they're collecting, why they're collecting it, and how they plan to use it. For example, if you're signing up for a newsletter, they should tell you that your email address will be used to send updates.
Ensuring data quality and security
Companies are required to ensure that the personal information they collect is accurate, up-to-date, and complete.
They should also take steps to protect the information from being:
misused
interfered with
lost
accessed without authority
modified
disclosed.
To achieve this, companies may use secure servers, encryption and carry out regular security audits.
Allowing access and correction
You have the right to access the personal information a company holds about you and request corrections if it's inaccurate, incomplete, or outdated. Companies must respond to these requests within a reasonable timeframe, no longer than 30 days.
Being transparent about data practices
Companies must be open about their data management practices. This includes having a clear and accessible privacy policy outlining how they handle personal information, the types of data they collect, how it is used, and who it is shared with.
Not using data beyond its original purpose
When a company collects your data, they should only use it for the specific purpose it's been collected – unless they have your consent or there’s a legal obligation to do so. For instance, if you provide your details for a purchase, the company shouldn't use that information for marketing purposes unless you have agreed to it.
Data breach notifications
This is an important one: if a company experiences a data breach, they need to tell anybody who’s had their data compromised as well as the OAIC. In theory, this then means anybody affected can take steps to protect themselves, such as changing passwords or monitoring accounts for suspicious activity.
How can you protect your finances if your data’s been leaked?
The financial repercussions of a potential breach are one of the biggest concerns and banks have tightened their own security measures significantly over recent years. But it pays to be vigilant; make sure you report any suspicious activity on your account as soon as possible, or freeze your account if you suspect you have been the victim of a breach.
The most important step is to speak to your bank – or other financial institution – if you think you’ve been scammed. Sometimes they may be able to help recover the funds.
Be aware: don’t feel embarrassed if you have been scammed. Data breaches and scams happen to us all. The more people who report, the more banks and other organisations can work to identify the criminals.
There’s a few sensible steps you can take to minimise the risk of being scammed. This won’t always stop the scammers but it will make it harder for them.
Be cautious about sharing personal information
Only provide personal details when absolutely necessary and ensure the website or service you are using is trustworthy and secure. If you’re not sure, phone the company back to verify.
Use strong, unique passwords
Avoid using the same password across multiple sites and services. Consider using a password manager to keep track of your passwords securely. Combine this with additional verification to make your accounts as secure as possible.
Enable two-factor authentication (2FA)
This adds an extra layer of security to your accounts by requiring not just a password but also a second form of verification, such as a code sent to your phone.
It’s a good idea to use 2FA for financial transactions through online banking too, to give you an added level of security, and for your superannuation account.
What can you do if your data isn’t handled properly?
So what happens if you’re one of the millions of Australians who has been caught up in a data breach in recent years? Here’s some steps you can take and your rights:
Contact the company
Reach out directly and explain your concerns. Plenty of bigger companies will have customer service representatives who will be able to help. If they have already contacted you, follow their instructions.
Complain to the OAIC
If you’re not satisfied with the company's response, file a complaint with the OAIC. They can investigate and, in some cases, impose penalties.
Seek legal action
The general rule is individuals can’t sue for data breaches but there are exceptions. The company has 30 days to respond once you lodge a complaint with the OAIC. If you’re still not satisfied, then you may want to speak to a lawyer (but be aware this can cost).
Join a class action lawsuit
If a breach affects a lot of people, it might generate a class action lawsuit that allows a group of individuals to sue collectively.
Bottom line
Data breaches and scams are, sadly, a way of life for us now in Australia. But being savvy about how you use your private information and taking steps to protect your finances could make a difference between being targeted or avoiding a scam.
It also pays to know your rights under the Privacy Act. Being informed about what companies are obligated to do may help you hold them accountable if your data is mishandled.
Go deeper:
Don’t get sucked into superannuation scams
Financial Disclaimer
The information contained on this web page is of general nature only and has been prepared without taking into consideration your objectives, needs and financial situation. You should check with a financial professional before making any decisions. Any opinions expressed within an article are those of the author and do not specifically reflect the views of Compare Club Australia Pty Ltd.