This feature article was originally published by The Australian Financial Review.
Australia’s spate of high-profile data breaches highlights the need for businesses and their customers to rethink the way they store and share sensitive personal data, bolstering not only security but also resilience.
Cyberattacks against Australian organisations continue to rise, with the Australian Cyber Security Centre receiving more than 67,500 cybercrime reports in the 2020-21 financial year, an annual increase of almost 13 per cent.
The average total cost of a cyber data breach in Australia also continues to rise – totalling $US4.35 million, or $US164 per lost or stolen record, according to IBM’s 2022 Cost of a Data Breach Report. Added to this is the cost of the significant long-term reputational damage that comes from making headlines for all the wrong reasons.
Holding a treasure trove of sensitive customer data is what made some recent victims such an attractive target for cybercriminals. Data may be the new oil but, just like oil, it is toxic if mishandled and can present a significant business risk.
Organisations in some sectors are required to conduct 100-point identity checks to meet their obligations under state/territory and federal legislation, as well as under anti-money laundering legislation. Even so, they are not required to store the details of sensitive documents such as Medicare cards, drivers’ licences and passports.
Across all sectors, organisations engage in extensive data collection practices, without considering the full implications, from Australia’s largest enterprises down to the smallest local businesses, which are often too small to be subject to the Privacy Act.
Rather than just focus on the collection and storage of customer data, Australian organisations of all sizes must consider the full data life cycle to mitigate the risks of holding personally identifiable information, says Dr Memoona J. Anwar – chief compliance and innovation officer with Australian regtech solutions provider Data Zoo.
Australian consumers and regulators must push back against the ‘‘hyper collection’’ of personal data that makes some organisations so attractive to cybercriminals, Anwar says. This requires managing every aspect of the full data life cycle, from collection and storage to processing and eventual destruction, to build more compliant, secure and resilient systems.
‘‘Right now, not many Australian organisations, I would say not even government organisations, are truly following a data life cycle approach which is continually reviewed and monitored,’’ she says. ‘‘This is why we keep reading about such devastating data breaches.
‘‘Calls for more secure identity verification and data-sharing practices are only going to succeed if organisations address the full end-to-end data life cycle while adapting to new threats.’’
Establishing a data life cycle to improve storage and sharing practices requires breaking down data silos across the business, Anwar says. Instead, data must flow through the business via a secure ‘‘data sharing fabric’’, which ensures security and compliance whenever data is captured or put to use.
Data Zoo provides organisations with an identity ecosystem, incorporating identity and document verification as well as fraud detection and Know Your Customer (KYC) remediation. It has also developed a global digital identity wallet, stored on a smartphone, which decentralises data by allowing customers to securely prove their identity to service providers without the need to hand over copies of documents.
Data Zoo is working with service providers, financial institutions and regulators around the globe to establish a framework that will allow customers to use a digital identity wallet to securely authenticate their identity, says Data Zoo founder and CEO Tony Fitzgibbon.
For organisations that are not yet ready to take advantage of that framework, Data Zoo can act as a secure intermediary for authentic customer identity data without storing it.
The B2C model of Data Zoo’s identity wallet, which will be launched in the coming months, will enable complete ownership and true decentralisation, paving the way towards Web3 technologies.
The goal is to empower consumers to manage their own data and identity, Fitzgibbon says, while also allowing organisations to minimise risk to themselves and their customers by reducing the amount of data they hold.
‘‘Recent events make it clear that protecting personally identifiable information is not just about building higher walls and stronger locks around that treasure trove of data, it’s about reducing the need for organisations to hold that data in the first place,’’ he says.
‘‘It all begins with education and board-level decisions to rethink the scramble to collect and retain vast amounts of sensitive data without giving enough thought to what kinds of risks that creates for all involved.’’