For domestic violence victim-survivors, a data or privacy breach can be extraordinarily dangerous

A suite of recent cybersecurity data breaches highlight an urgent need to overhaul how companies and government agencies handle our data. But these incidents pose particular risks to victim-survivors of domestic violence.

In fact, authorities across Australia and the United Kingdom are raising concerns about how privacy breaches have endangered these customers.

The onus is on service providers—such as utilities, telcos, internet companies and government agencies—to ensure they don't risk the safety of their most vulnerable customers by being careless with their data.

A suite of incidents

Earlier this year, the UK Information Commissioner reported it had reprimanded seven organizations since June 2022 for privacy breaches affecting victims of domestic abuse.

These included organizations revealing the safe addresses of the victims to their alleged abuser. In one case, a family had to be moved immediately to emergency accommodation.

In another case, an organization disclosed the home address of two children to their birth father (who was in prison for raping their mother).

The UK Information Commissioner has called for better training and processes. This includes regular verification of contact information and securing data against unauthorized access.

In 2021, the Australian Information Commissioner and Privacy Commissioner took action against Services Australia for disclosing a victim-survivor's new address to her former partner.

The commissioner ordered a written apology and an A$19,980 compensation payment. It also ordered an independent audit of how Services Australia updates contact details for separating couples with shared records.

An earlier case involved a telecommunications company and the publisher of a public directory.

The commissioner ordered them each to pay $20,000 to a victim of domestic violence whose details were made public, which jeopardized her safety.

More recently, the Energy and Water Ombudsman Victoria reported a case where an electricity provider inadvertently provided a woman's new address to her ex-partner. The woman had to buy security cameras for protection. The company has since revised its procedures.

The Energy and Water Ombudsman Victoria has also reviewed complaints received in 2022-23 related to domestic violence. These include failing to flag accounts of victims who disclosed abuse, as well as potentially unsafe consumer automation and data governance processes.

The Victorian Essential Services Commission accepted a court-enforceable undertaking from a water company that it would improve processes after allegations its actions put customers affected by family violence at risk.

The commission found the company failed to adequately protect the personal information of two separate customers in 2021 and 2022, by sending correspondence with their personal information to the wrong addresses.

In both cases, the customer had not disclosed their experience of domestic violence. Nevertheless, the regulator noted these "erroneous information disclosures put these customers at risk of harm".

Australia's Telecommunications Industry Ombudsman received about 300 complaints involving domestic violence in 2022-23, with almost two-thirds relating to mobile phones.

Complaints included instances of telcos disclosing the addresses of victim-survivors to perpetrators or of frontline staff not believing victim-survivors. There were also cases of telcos insisting a consumer experiencing family violence contact the perpetrator of family violence. The report noted: "For example, one person was asked by her telco to bring her abusive ex-partner into a store to change her number to her new account. We've also had complaints about telcos disconnecting the services of a consumer experiencing family violence—sometimes at the request of the account holder who is the perpetrator of the violence—despite access to those services being critical to the consumer staying safe."

The Australian Financial Complaints Authority resolved more than 500 complaints from people experiencing domestic and family violence in 2021-22, including those related to privacy breaches.

Change is slowly under way

In May, new national rules came into force to provide better protection and support to energy customers experiencing domestic violence.

These rules mandate retailers prioritize customer safety and protect their personal information. This includes account security measures to prevent perpetrators from accessing victim-survivors' sensitive data.

They also prohibit the disclosure of information without consent. In issuing its rules, the Australian Energy Markets Commission noted the heightened risk of partner homicides following separations.

The Telecommunications Industry Ombudsman has called for mandatory, uniform and enforceable rules. The current voluntary industry code and guidelines fall short in protecting phone and internet customers experiencing domestic violence.

New rules should include training, policies and recognition of violence as a cause of payment difficulties. They should also factor in how service suspension or disconnection affects victim-survivors.

The Australian Information and Privacy Commissioner said last year, "Sadly, we continue to receive cases of improper disclosure of personal information off line by businesses to ex-partners who target women in family disputes and domestic violence. All of these issues reinforce the need for privacy by design."

In its response to a review of the Privacy Act, the government has agreed the Office of the Australian Information Commissioner should help develop guidance to reduce risk to customers.

We must work harder to ensure data and privacy breaches do not leave victim-survivors of domestic violence at greater risk from perpetrators.

This article is republished from The Conversation under a Creative Commons license. Read the original article.