by A series of recent cybersecurity data breaches has shed light on the dire need to overhaul how companies and government agencies handle sensitive information. These breaches, however, pose a particularly grave risk to victim-survivors of domestic violence. Authorities in Australia and the United Kingdom are increasingly raising concerns about how privacy breaches have endangered these vulnerable individuals.
Service providers, including utilities, telcos, internet companies, and government agencies, must take responsibility for safeguarding the data of their most vulnerable customers. The UK Information Commissioner, for instance, reported reprimanding seven organizations since June 2022 for privacy breaches that affected domestic abuse victims. Shockingly, some organizations disclosed the safe addresses of victims to their alleged abusers. In one instance, a family had to be swiftly relocated to emergency accommodation for their safety.
Similarly, in Australia, the Australian Information Commissioner and Privacy Commissioner took action against Services Australia in 2021 for disclosing a victim-survivor’s new address to her former partner. The commissioner ordered a written apology and a compensation payment of A$19,980. An independent audit was also ordered to assess how contact details are updated for separating couples with shared records.
These cases highlight the urgent need for better training, processes, and security measures. Regular verification of contact information, as well as securing data against unauthorized access, is necessary to protect victim-survivors of domestic violence from potential harm.
The Energy and Water Ombudsman Victoria reported a recent case involving an electricity provider that inadvertently disclosed a woman’s new address to her ex-partner. In response, the woman had to purchase security cameras for her protection. The company has since revised its procedures to prevent such lapses from occurring again.
Furthermore, the Energy and Water Ombudsman Victoria has reviewed complaints related to domestic violence received in 2022-23. These include instances of failing to flag accounts of victims who disclosed abuse, as well as potentially unsafe consumer automation and data governance processes.
The Victorian Essential Services Commission accepted a court-enforceable undertaking from a water company to improve processes after it was discovered that the company had failed to adequately protect the personal information of two customers. Correspondence containing their personal information was sent to the wrong addresses. While the customers had not disclosed their experiences of domestic violence, the regulator emphasized that these privacy breaches put them at risk of harm.
The Telecommunications Industry Ombudsman in Australia received approximately 300 complaints related to domestic violence in 2022-23, with nearly two-thirds concerning mobile phones. Complaints ranged from telcos disclosing victim-survivors’ addresses to perpetrators, to frontline staff doubting victim-survivors’ claims. There were also cases where telcos insisted that a consumer experiencing family violence should contact the perpetrator. In one distressing example, a telco asked a victim-survivor to bring her abusive ex-partner to a store to change her number to her new account. There were also instances where telcos disconnected the services of consumers experiencing family violence, sometimes at the request of the account holder who was the perpetrator, despite the importance of these services for the victim-survivor’s safety.
In 2021-22, the Australian Financial Complaints Authority resolved over 500 complaints related to domestic and family violence, including breaches of privacy. These findings emphasize the need for stronger protections and support for those affected by domestic violence.
May saw the introduction of new national rules in Australia aimed at providing better protection and support to energy customers experiencing domestic violence. These rules require retailers to prioritize customer safety and protect their personal information. They prohibit the disclosure of information without consent. The Australian Energy Markets Commission, in implementing these rules, acknowledged the heightened risk of partner homicides following separations.
To adequately safeguard phone and internet customers experiencing domestic violence, the Telecommunications Industry Ombudsman has called for mandatory, uniform, and enforceable rules. The current voluntary industry code and guidelines fall short in their ability to protect these individuals. New rules should include training, policies, and recognition of violence as a cause of payment difficulties. They should also consider how service suspension or disconnection affects victim-survivors.
The Australian Information and Privacy Commissioner has expressed concerns about the improper disclosure of personal information offline by businesses during family disputes and domestic violence cases. These issues highlight the crucial importance of “privacy by design” and underscore the need for better guidance and risk reduction measures.
It is imperative that we take decisive action to ensure that data and privacy breaches do not leave victim-survivors of domestic violence at a heightened risk of harm from their perpetrators.
*Note:
1. Source: Coherent Market Insights, Public sources, Desk research
2. We have leveraged AI tools to mine information and compile it
