Data is not gold – it's uranium so handle with care
The Federal Government has embarked on a review to "bring the Privacy Act into the digital age". This will potentially bring Australia closer to other privacy regulations like GDPR. For Australian businesses, the repercussions of the proposed changes will be significant. The obligations around the deletion of data that is no longer required for its intended purpose will intensify, and we can expect the provisions of the Privacy Act, which currently apply to businesses with over $3M of annual turnover, to be extended to all businesses that hold personal identifiable information (PII) in 2024.
For many years, businesses have seen data as an incredibly valuable resource. Data has been variously described as being like gold or oil – sometimes challenging to extract but capable of delivering vast benefits to the holders. But recent high-profile cybersecurity breaches have exploded that narrative. While data remains precious, there is recognition that it must be handled with great care. Data is no longer business gold – it's uranium. Powerful and valuable but risky to hold and toxic if it escapes.
A cyberattack that leads to the theft of PII can have a significant impact on a business. Medibank reports that the cost of the attack it suffered in October 2022 could exceed $80M. The reputational damage of an attack can be financially damaging.
Boards, C-suite executives and business leaders must take active steps to understand what data they are collecting and its purpose and put steps in place to protect it through every stage of the data lifecycle. That means identifying each stage of the data lifecycle, what risks are present at each stage and ensuring that the business meets its legal obligations and upholds its trust-based covenant with customers, partners and other stakeholders.
Creation and collection
Businesses create and collect data constantly. That can be anything from production data within manufacturing systems through to contact details and personal information from online forms, email or from contact centres. But PII should only be collected for a specific and intended purpose.
The days of collecting data "just in case" it may become useful have passed. The Privacy Act and the accompanying Australian Privacy Principles clarify that data should only be collected with consent and with a stated purpose. While this requirement only applied to companies with annual turnover in excess of $3M, this is a good rule for all businesses to follow.
Processing, storage and management
Data security experts talk about data being in two main states. Data is either in flight or at rest. Businesses must have steps that ensure data can only be accessed by authorised parties when needed. When data is being sent between different parties or systems, it should be protected with encryption to ensure it can't be used should a threat actor intercept a data transmission.
Businesses must take steps to ensure only authorised parties have access to data and that all systems are operated with privacy controls implemented.
Backups, archives and destruction
Backups are critical for ensuring that data that is accidentally deleted, subjected to a ransomware attack or tainted can be recovered to a known good state. A good rule of thumb is to apply the 3-2-1-0 principle. Three copies of your critical data on at least two different media with one copy offsite and zero errors.
An archive is a point-in-time snapshot of your data that is retained and cannot be altered. A company may choose to take a full copy of all its data and store it in an offline facility. Unlike backups, which are updated regularly, an archive is written once and never altered.
One of the lessons learned from recent cybersecurity breaches was that PII pertaining to customers that had long ceased being customers was being held and was vulnerable to attack. While there may be legal obligations to keep certain data, a retention strategy that moves data that has not been accessed for a defined period to an archive can cover compliance obligations. Data that is unlikely to ever be needed, such as when a tranche of customers is sold to another entity, should be permanently destroyed.
Businesses that want to reduce the risk of data theft and the business impact should a threat actor overcome their defences must think strategically about the data they collect, use and retain. Every new piece of data that is collected or generated increases the size of the potentially destructive payload that could be leveraged by a malicious party seeking profit or notoriety.