Data misuse is an epidemic in Australia. Hackers steal data, and spammers spam, and so do legitimate companies that should know better but don’t care because it’s cheaper not to. The solution is simple, says Andy Schmulow.
Recently, it was revealed that MediSecure — the online prescription eScript service — was hacked, and some 600,000 Australians who have used eScript at some stage now have their most private details for sale on the dark web.
Staggeringly, despite their failure to keep patient data secure, MediSecure is now seeking a taxpayer-funded bailout to help cover the costs of fixing the failure of their own making.
Not long ago, ABC published an interactive tool that showed how bits and pieces of personal data stolen in hacks can be pieced together to build a composite picture of a person’s identity so as to facilitate identity fraud. After the Optus hack, Minister Claire O’Neill said the government was going to crack down on companies that, for example, hold customer data for excessive lengths of time.
This is incredibly important. Every company that holds YOUR data puts YOU at risk because no company is immune to hacking. Some of the biggest corporates and government agencies around the world have been hacked. If NASA and the Pentagon, Sony, Facebook, LinkedIn and eBay can get hacked, then no company is safe. That means no customer whose data is held, is safe.
So, one of the most important safeguards,
is that Australian companies should not hold data for more than 12 months, after their last contact with a customer.
Data hoarding
In January this year, I discovered that Aussie Home Loans had held my data for almost 12 years after one, initial and brief enquiry. Twelve years later, their ‘suppression list’ failed — that is, the list of contact details that they had hoarded but flagged as “do not contact” failed, and they started spamming me.
Spamming customers, despite the fact that they clicked unsubscribe, is the first sign that a company cannot manage your data safely. And its reached epidemic proportions. In the past week I was spammed by a domain hosting company called WebCentral. Let me just emphasise this: this is a tech company. I.T. is their business. Managing an email suppression list should be child’s play for them.
But it gets worse. WebCentral has done this before. They’ve failed — repeatedly — to adhere to unsubscribe instructions. They’ve been doing it for two years. They did in June 2022, in January 2023, again in December 2023, and then yet again in May 2024.
Each time I’ve clicked unsubscribe. But not only that. I have escalated it as far as I could with their customer support and received unequivocal, written assurances that they would not send me spam again. June 2022, January 2023, and December 2023 – all elicited written and unequivocal assurances of “so sorry, we promise, never again”. And now they’ve done it again!
How can a tech company be so incompetent? Answer: managing suppression lists costs time and money. And because they put profit over protecting customer data, they keep stuffing up. This time, they’ve decided, no doubt in such shame, to just ignore my protestations about the promises they’ve broken and the spam they’ve sent.
In fact, they’ve gone even further. They tried deleting my comments on LinkedIn about how untrustworthy they are with customer data. And when that failed, they complained to LinkedIn that my comments on their company’s posts, pointing out how they can’t manage suppression lists, constituted harassment! To be clear, the harassment is perpetrated by them: repeated spam, without let-up, and in the face of promises of “never again”.
Obviously, WebCentral is not a company you can trust with your data.
The business of spamming
But it’s across the board. It’s big and small. Surfboard Warehouse. Same story. Written assurances from their CEO that they had deleted my emails, and so could not send me spam, even if they wanted to. Then, this week, more spam!
Every time Surfboard Warehouse’s suppression lists fail, they trot out the same excuse: We moved to a new platform, and there was a glitch. But how is that even an excuse when they had promised they had deleted the email addresses from their files? True to form, when they’re exposed, the best the CEO can do is ghost the complainant. Gutless and incompetent.
In the face of all of this we have legislation (Spam Act 2003) and a taxpayer-funded agency, the Australian Communications and Media Authority (ACMA), that is supposed to enforce the Act.
Complaints to ACMA achieve nothing. No doubt, ACMA cannot litigate every breach of an unsubscribe function. But do they even bother to send an email to the company in question to say, “Oi, you’ve breached the Spam Act? We are putting you on notice. If you keep on doing this, we’ll bring down a hefty fine?” From what I can tell, the vast majority of complaints to ACMA don’t even result in that. ACMA and its Chair, Nerida O’Loughlin, need to be held to account.
What clamp-down?
And back to Minister Claire O’Neill’s promise to clamp down on those dirty data rats that hoard YOUR data like it’s theirs. And do so for years and years.
She made that announcement after the Optus hack. A hack where there are credible allegations that Optus was deficient in putting in place even the most rudimentary data protections. Deloitte did a report on how the hack happened, and Optus initially promised to make that report public.
After the dust settled, Optus went to every length they could to keep the report secret. The lawyers for the class action against Optus had to go to the Federal Court to get their hands on the report. But under the terms of the judgment, they cannot make it public.
Those who have a legitimate interest in knowing whether Optus was at fault are not allowed to know whether they should put their faith in Optus and whether they will manage their data securely. These priorities are completely wrong. It is OUR data, not theirs.
And when our data protections are violated, we, the public, have a right to know.
The solution is that ACMA must be held to account for what it does when it is notified of breaches of the Spam Act. The legislation needs to be amended, prohibiting the retention of customer data for more than 12 months after the last contact with a customer. Thereafter, one single spam email should be enough to discharge the onus of proof, that the prohibition on hoarding customer data for an excessive lengths of time, has been breached.
From there, million-dollar fines should be imposed on companies that are found to have retained data for more than 12 months from when they last had contact with a customer.
The Spam Act needs to be amended so that more than one breach is sufficient to attract hefty fines and allow ACMA to impose fines quickly and without needing to show millions of breaches. More than two should be enough. A slew of fines up and down the board, for large and small companies — be it WebCentral, Surfboard Warehouse, Aussie Home Loans, etc —and all of a sudden, the problem will no longer be all “too hard”.
And it isn’t. I have insights into an ASX-listed building supplies company that sends every marketing email through their legal department, and they check to make sure the email distribution list has been “washed” through the suppression list. They are meticulous about it, and never stuff up. So enough with the excuses. Let’s stamp this out.
Censors Enthroned: the Misinformation and Disinformation Bill
Andy is a corporate governance expert and Senior Lecturer in the Faculty of Law, in The University of Wollongong, admitted as an Australian Legal Practitioner in the Supreme Court of Victoria, an Advocate of the High Court of South Africa, and the Principal of Clarity Prudential Regulatory Consulting.