After Latitude Financial admitted it was caught up in a cyber attack last month, we asked readers how they had been affected.
Some told us they sensed something was wrong before they were notified by the company.
It raises the question of how quickly companies are required to notify customers about a data breach, how they do it and whether this lines up with the public's expectations.
How long did it take Latitude to report the breach?
The company's statement did not give an exact time.
On March 16, it posted an announcement saying it "detected unusual activity on its systems over the last few days".
"While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated," the statement said.
Messages were sent to customers the following day, March 17.
How did customers find out?
Via the announcement on March 16, and then by being messaged individually on March 17.
Latitude said these messages were sent via email if the company had an email address for the person.
Otherwise, a letter was sent to their postal address.
Bryce Medlen said he was notified by his anti-virus software on March 17, hours before Latitude contacted him.
The notification linked to an announcement on Latitude Financial's website — so the company had already made the information public by that stage.
Here's what that notification looked like (keeping in mind that we've cut off the name of the cyber security company in line with the ABC's editorial policies):
Mr Medlen said the notification from his cyber security service came at 11am.
But he said the email from Latitude did not come until hours later at about 7pm.
"I received a generic email stating that there had been a data breach and theft of personal documents used by latitude service providers," he said.
"The email stated that predominantly driver's licences had been stolen; they said that they were sorry and would notify me if my data had been stolen."
Mr Medlen said he "finally" found that his licence and identifying details were accessed by hackers on April 2 — more than a fortnight after Latitude's initial announcement.
"They said they'd cover the cost of ID replacement if I arrange it personally, however, they've reassured me that they are working with state authorities to arrange replacements if necessary," he said.
Thankfully, Mr Medlen had not noticed any fraudulent activity on his account.
He uses cyber security services to alert him to data breaches "but also when my information turns up on the dark web or hacker networks".
"I have placed a ban on my credit files to ensure no one else can access credit in my name."
Are there laws about reporting data breaches?
Yes.
Here's what the Office of the Australian Information Commissioner (OAIC) says about that:
"When an organisation or agency the Privacy Act 1988 covers has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any individual at risk of serious harm."
But that is only for the bodies covered by the Privacy Act.
That is defined by the OAIC as any Australian government agency and organisation with an annual turnover of more than $3 million.
But there are some small businesses — including private sector health providers and credit reporting bodies — that are also covered by the act.
Here is what the act does not cover:
- State or territory government agencies, including a state and territory public hospital or health care facility (which is covered under state and territory legislation) except:
- certain acts and practices related to My Health Records and individual healthcare identifiers
- an entity prescribed by the Privacy Regulation 2013- An individual acting in their own capacity, including your neighbours
- A university, other than a private university and the Australian National University
- A public school
- In some situations, the handling of employee records by an organisation in relation to current and former employment relationships
- A small business operator, unless an exception applies
- A media organisation acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
- Registered political parties and political representatives
How quickly does a company have to notify people about a breach?
It is a grey area.
"In response to a breach, organisations need to provide information to individuals that is timely and accurate," Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement last month.
But just what is considered "timely" is not explicit.
Here is what the AOIC website says:
"Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm.
"When a data breach occurs, we expect an organisation or agency to try to reduce the chance that an individual experiences harm.
"If they're successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn't need to tell the individual about the data breach."
But Ms Falk said it should take less time than 30 days.
"Organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter time frame," she said.
And a report from the Attorney-General reviewing the privacy act recommended updates to laws which would compel entities to notify the Information Commissioner within three days of becoming aware of a breach.
Here is the proposal put forward in the report:
"...If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, the entity must give a copy of the statement to the Commissioner as soon as practicable and not later than 72 hours after the entity becomes so aware, with an allowance for further information to be provided to the OAIC if it is not available within the 72 hours."
While this is still in the proposal phase, the deadline for providing feedback passed on Friday — so there may be more news on that front in the near future.
According to the AOIC's latest notifiable data breaches report, 77 per cent of breaches were reported by the entity within that 30-day window, as seen in this graph:
The Information Commissioner has the power to issue a notice directing the entity to prepare a statement about the data breach and notify affected individuals if there are reasonable grounds to believe a notifiable breach occurred.
And more recently, they were given powers to obtain documents about a suspected data breach.
"This new provision supports the OAIC’s regulatory role to facilitate timely notification to affected individuals and ensure compliance with the [Notifiable Data Breaches] scheme," the OAIC's latest report said.
How can we feel safe handing over our details?
Mr Medlen said he wanted companies to make it clear how long they would hold on to your data — and for that to be made obvious at the time people are handing it over, not buried in the long-winded terms and conditions pages.
He also wants companies to be held accountable.
"They need to own it and do their best to prevent it happening in the future ... with open and transparent communication."
Mr Medlen said he was sceptical about giving out his information to companies, having been caught up in the Optus data breach last year.
He was concerned about where these details were stored and for how long.
"These documents are my identity; they legally let me prove who I am," he said.
How do you report a scammer?
People are encouraged to report scams to the ACCC's Scamwatch, regardless of whether they lost money or not.
You can report cybercrimes to police through the Australian Cyber Security Centre's online reporting portal.
If you're concerned you're a victim of identity theft, you can contact IDCARE, a not-for-profit charity that describes itself as Australia's national identity and cyber support service.
The ACCC also recommends Lifeline for crisis support to help with emotional distress about scams and Beyond Blue for support for anxiety and depression.