PS Even improving the current verification does nothing about the “97,000” drivers licences that just got dumped by Lateral and “30,000?” that got dumped by Optus. (NB: Only covering what I believe to be valid pairs of licence number and card number that were exposed, not the much larger set of licence numbers by themselves that were exposed.) By rights, those should all be reissued no matter what changes are made around the edges.

But let’s not get too ahead of ourselves. A criminal can pick up your full licence at any club where you aren’t a member.

Are or are not?
What does this assume they have access to and knowledge of?

Acknowledged it’s an added comment not directly connected to the Latitude related data breech.

Are not.

If you are a member, you use your membership card to swipe in. No details surrendered at that time.

If you are not a member, you use drivers licence to scan in, each and every time you visit such a club.

You have to make some assumptions but it dramatically increases the number of entities who could be attacked in order to get drivers licence information and includes a whole lot of comparatively smaller organisations, who don’t have billion dollar IT budgets (unlike an “Optus” or a “Big Four” bank).

And “today’s”: Skin cancer survey hack may have 'compromised' personal details, Medicare numbers of participants - ABC News

Small in number (as far as we know so far!) but could be uncomfortable for some survey participants.

Data breach expert Jane Andrew from the University of Sydney says current data breach laws are not fit for purpose because there is no legal requirement to publicly disclose a hack.

This is something of a simplification and an exaggeration. I think there are three gaps here:

1. There is never a requirement to notify the public at large. However there is a requirement to notify the OAIC. So this could easily be fixed by government itself, either administratively or legislatively. That is, the company tells the OAIC and the OAIC tells the public at large (in a standard format and using a standard mechanism).
2. This only applies where there is “likely risk of serious harm”. This is obviously vague, and subject to opinion and judgement. It should be: a data breach is a data breach. Unauthorised access to data of any kind should be notifiable (for organisations covered by this regime at all).
3. Not all organisations are covered by these requirements at all. I am happy for that to remain the case i.e. put the burden on medium and large enterprises only.