Need to know
- Australians have few rights when it comes to getting companies to delete our personal data
- Customer records from as far back as 2005 were accessed in the Latitude breach
- Our case study asks: 'How can companies be allowed to hold my personal information forever?'
Greg didn't know what to make of it when he received notification from Latitude Finance that his name, address, date of birth, phone number and driver's license number had been accessed by cybercriminals.
It wasn't that the March data breach was so surprising – it was that he hadn't been a customer of Latitude or its predecessor company GE Money for a long time. Why had Latitude held on to his personal information?
(The Australian financial services arm of GE Money was sold to investors in 2015, who renamed it Latitude Finance. GE Money customer data was passed along to Latitude as part of the deal.)
"Initially, I thought it was a mistake but eventually realised the credit must be associated with interest-free terms on a lounge we purchased about 15 years ago from Harvey Norman," says Greg.
In search of an explanation, he attempted to get in touch with Latitude, but that proved to be difficult.
"Despite the extensive details provided by Latitude outlining what they are doing to rectify the situation and minimising their blame, you can't reach them. No one ever answers the phone."
Breach worse than reported
Like other corporate data breaches, the Latitude breach turned out to be significantly worse than first reported.
When Latitude revealed the breach in mid-March, it indicated that the hackers had accessed about 330,000 customer records.
In late March, Latitude raised that number significantly to 14 million, with many GE Money customer records going back as far as 2005 also caught up in the breach.
It means former and current customers of all these companies could be caught up in the data breach
According to reporting by the ABC, the breach also affected consumers who had taken out Coles-branded credit cards that were issued by GE Money, and may have also affected the former card issuer's Myer-branded cardholders as well.
Both the Coles and the Myer cards were initially partnered with Latitude, but that's no longer the case.
GE Money was also partnered with several other major retailers – including Harvey Norman, The Good Guys and JB Hi-Fi – and the majority of those relationships carried over to the Latitude Financial brand.
In its breach notification, Latitude acknowledged that people who applied for credit with a predecessor company were also affected.
It means former and current customers of all these companies could be caught up in the data breach.
The problem with long-term data retention
"How can companies be allowed to hold my personal information forever?", Greg wants to know.
Disturbingly, the answer is that Australians have very few rights when it comes to getting companies to delete their data.
In response to a complaint he lodged with Latitude, Greg was told that his data had been retained because the company was legally required to hold on to it.
When we asked the company to explain, we were told that Latitude "is required by law to collect and retain certain personal information when customers apply for or open an account. Some of this information must be kept for several years after an account is closed.
"Latitude's data retention policies and practices are being thoroughly reviewed as part of the ongoing investigation of the cyber-attack," the spokesperson added.
[Businesses] must take reasonable steps to destroy personal information it holds or ensure it is de-identified if it no longer needs the informationOAIC spokesperson
A spokesperson for the Office of the Australian Information Commissioner (OAIC), which oversees the Privacy Act, told CHOICE that a business "must take reasonable steps to destroy personal information it holds or ensure it is de-identified if it no longer needs the information".
But the OAIC spokesperson added a caveat, saying the requirement applies "except where the business is required by law or a court or tribunal order to retain the personal information. For example, there are specific requirements to keep personal information for the purposes of anti-money laundering or taxation purposes".
Privacy Act review calls for change
How this exception applies to people in Greg's situation is not clear, and the lack of clarity around privacy rights has been under discussion among policymakers.
In the case of taxation, data is required to be retained for five years. With anti-money laundering, the timeframe is seven years. There is no law that CHOICE is aware of (or could find) requiring the retention of personal data for up to 15 years or more.
It may be a requirement to keep some personal information for up to seven years to comply with the law, but there is absolutely no good reason to keep this data for 15 years or moreCHOICE consumer data advocate Kate Bower
"It appears from Greg's experience that businesses are interpreting data retention laws to benefit themselves at the expense of consumers," says CHOICE consumer data advocate Kate Bower.
"It may be a requirement to keep some personal information for up to seven years to comply with the law, but there is absolutely no good reason to keep this data for 15 years or more, exposing it to cybersecurity threats, as happened to Greg and many others."
The final report on the review of the Privacy Act, released in mid-February this year, recommends that the federal government rethink the legal provisions that call for retaining personal data "to determine if the provisions appropriately balance their intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information", the OAIC spokespersons told us.
On 10 May the OAIC announced that is was launching an investigation into Latitude's data handling practices in partnership with the New Zealand Office of the Privacy Commissioner (Latitude also does business in New Zealand). Part of the focus will be on whether Latitude "took reasonable steps to destroy or de-identify personal information that was no longer required".
There are some legal reasons for businesses to hold on to your data, but none that call for retaining data for 15 years or more.
Can a business pass along your data?
There are also ambiguities in the Act when it comes to a business passing along customer data when it's sold to a new business.
According to OAIC, a company "should only provide a prospective purchaser with personal information if the provision of that information is consistent with the vendor's obligations concerning the use or disclosure of the information" under the Australian Privacy Principles.
None of this seems to be of much help to victims of data breaches, who now number in the tens of millions.
It's frightening to think of my data being held by organisations over the 50 years I've been commercially activeLatitude Finance data breach victim, Greg
Bower says reforms to privacy laws are long overdue, including those covering data retention, as was recommended in the Privacy Act report. It's a recommendation that CHOICE supports.
"We also support the introduction of individual rights to request the deletion of their personal data, which would align Australia's privacy laws with world-leading legislation like the EU's General Data Protection Regulation (GDPR)," Bower says.
"But laws are meaningless without strengthening the powers of our privacy regulator (the OAIC) so it can hold businesses to account, which will be critical to protecting consumers from future data breaches."
Greg is particularly aggrieved that he'll have to deal with any fallout from the breach at a stage in his life when applying for credit is a thing of the past.
"Retired people have a hard time getting credit, so it infuriates me even more that these people are holding on to my details," Greg says. "I mean, we haven't had credit from anyone in the last 10 years."
"It's frightening to think of my data being held by organisations over the 50 years I've been commercially active."
Stock images: Getty, unless otherwise stated.