Opinion: The miserable level of consumer protection offered by existing privacy laws and the federal privacy commissioner has been on display in the last month as Latitude Financial released threadbare details of the large-scale data theft at the company. Latitude first revealed its systems had been hacked on 16 March, but took until 27 March to confirm that the personal details of millions of customers had been stolen by online criminals. In a media statement issued on 27 March, Latitude elected not to disclose details about the types of products subject to the data theft, even though it acknowledged that the personal records of 5.7 million customers created before 2013 had been stolen. Given that a large portion of Latitude’s antecedent business flowed from its alliances with the Coles and Myer retail businesses in those years, the obvious conclusion of many payments experts was that previous holders of the Coles Myer Card were heavily affected by the cyber-attack. GE Capital was the issuer of the Coles Myer Card and Latitude’s disclosures on 27 March strongly indicated that it had retained the personal information of participants in the defunct program on its computer servers. However, Latitude chose not to include this information in its statement made on 27 March. Neither did Latitude notify the Coles Group of any data event affecting the retailer’s past or present customers until 15 April. In response to questions from Banking Day on 27 March, a spokesperson for Coles Group said the retailer had received no notification from Latitude. “Coles continues to seek ongoing updates from Latitude Financial on its investigations,” the Coles spokesperson said on 27 March. “We have not received any notification that historical records about our customers have been exposed.” It took Latitude 30 days to notify the Coles Group that personal data of its customers had been stolen, but even now Coles still doesn’t know how many of its customers are affected and what types of breaches occurred. In light of the information contained in Latitude’s release of 27 March, it seems that Latitude’s disclosure has been inadequate. Do senior Latitude executives expect the public to believe they did not know before 15 April that historical customers of the Coles-Myer branded card program had their data stolen? There is a material public interest at stake when large-scale data thefts occur. Latitude’s public statement of 27 March would have delivered greater public utility had the company specified the types of products impacted by the data theft. It’s an open question whether one of the country’s most ineffectual regulators – the Office of the Australian Information Commissioner – has the will to force better disclosure from Latitude. The OAIC’s only public statement on the Latitude debacle came on 27 March when it confirmed it was engaging with the company for its “preliminary inquiries” into the cyber security incident. Not a squeak from the regulator in the three weeks since.