Storing unnecessary data? Expert issues stark warning

But if it was Optus that got hacked, why has my Medicare card been exposed? Observers and cyber security insiders can identify almost the precise moment that data security became a top-of-mind concern for Australians.

Reputationally, Optus was shattered. In just months, the telco lost some 65,00 subscribers, and it took just one more public calamity to topple embattled CEO Kelly Bayer Rosmarin. Financially, the company didn’t fare any better. Following the breach, Optus itself highlighted that the clean-up could cost $140 million.

Breaches like this are not unique to Australia, and like Australia, governments across the globe are tightening the regulatory screws on businesses to ensure the safe and ethical storage of data.

In 2020, British Airways was fined €22 million for a breach of customer data, including both credit card numbers and CVVs. That same year, Marriott International received a €20 million fine for a breach that saw 5 million unencrypted passport numbers stolen. In these circumstances, the companies held unnecessary information regarding their customers while also failing to adequately protect their data. As such, they were held to account under the European Union’s GDPR.

To understand Australia’s changing data protection requirements and the risks businesses face when they’re too cowboy with their cyber security policies, Cyber Daily sat down with Brenton Steenkamp, cyber partner at Clayton Utz.

To the cyber expert, businesses will likely face legal challenges on two fronts if a cyber breach reveals unnecessary data retention behind poor security architectures. With the first being from the government and regulators, regarding compliance failure, and the other as a result of a class action from victims.

With the Commonwealth’s ambitious goal of making Australia the world’s most cyber secure nation by 2030, Steenkamp warned Cyber Daily that regulators will be even more motivated to hold businesses accountable for poor cyber security practices. His advice: be vigilant and ensure that everyone understands their roles and responsibilities in the event of a cyber incident.

“Examining the increasingly stringent cyber security regulations coming from Europe, it is clear that governments are taking stronger stances on the need to report on cyber breaches and within certain time periods, though there are risks with this,” Steenkamp said.

VIEW ALL

“Before going public with cyber breaches, organisations need to know what to report, and when to report. One thing that came to light with recent breaches is that your business actually needs to have the cyber structures in place that you communicate to clients and the regulators.

“Critically, these also need to be at the correct regulatory standards. If you miscommunicate any of these by acting too quickly, you run the risk of actually fuelling the type of class actions we’re seeing now.”

To Steenkamp, the ensuing reputational risk of falling victim to an attack and losing customer data could be even more damaging than the legal repercussions themselves.

“The biggest risk for any entity falling victim to a cyber breach is the reputational issue that arises. Whether you’re a government or private entity, you invest in building trust with your customers and supply chain. Once the trust is also breached, the trust people had in your brand will fall,” he said.

The comments reflected longstanding research conducted into the damage that a cyber breach can have on customer confidence. According to a PwC survey cited in Forbes in 2017, eighty-seven per cent of customers detailed that they would stop using an organisation if they believed that their data were not looked after responsibly.

The warnings may seem simple, but it is logical for businesses to ask, what exactly constitutes necessary data versus unnecessary data?

“If you can’t answer: why do I have a need for this data? What is the business case for storing a specific set of data? And what is the compliance around holding that data? Then you’re going to open the door to potential regulatory fines. Then you’ll have the second tsunami of class action lawsuits,” Steenkamp told Cyber Daily.

“Businesses must continually assess the need, the operational requirements and the compliance requirements for a set of data. If you meet these requirements, then ensure that you are taking the precautionary measures to reasonably safeguard that data.”

So what are the cyber expert’s top tips for businesses to keep their data safe, ensure they are compliant and protect themselves from regulatory and legal risks?

“You need to observe, own and overcome. If you don’t observe, you don’t know what your environment is. If you don’t take ownership, you don’t understand the requirements of the data you’re holding. If you don’t build risk strategies around your people processes and technologies, you won’t be able to overcome future risks,” Steenkamp said.

“On a tangible basis, businesses can implement three key areas. First is segmentation; this ensures that data has strict access control, ensuring that only the right people are accessing the right data points. Secondly, it’s that the data is encrypted. And thirdly, that you implement multifactor authentication to mitigate the risk of unauthorised access.

“These processes can be strengthened with businesses employing a defined data controller. This is more common in Europe, but not so much in Australia. This dedicated taskmaster or data protection officer takes ownership over that environment and has the clearly defined task of bringing the right processes to protect data holdings.”

The comments come following an increase in the maximum penalties for a business involved in serious privacy breaches, with the Commonwealth in 2022 increasing the maximum penalty to the greater of $50 million or three times the value of benefits obtained from misuse of information.

Liam Garman

Liam Garman is the editor of leading Australian security and defence publications Cyber Daily and Defence Connect. 

Liam began his career as a speech writer at New South Wales Parliament before working for world leading campaigns and research agencies in Sydney and Auckland. Throughout his career, Liam has managed and executed a range of international media and communications campaigns spanning politics, business, industrial relations and infrastructure. He’s since shifted his attention to researching and writing extensively on geopolitics and defence, specifically in North Africa, the Middle East and Asia. He holds a Bachelor of Commerce from the University of Sydney and a Masters of Strategy and Security from UNSW Canberra, with a thesis on postmodernism and disinformation operations.