This opinion piece by Data Zoo Chief Executive Officer, Tony Fitzgibbon, was first published by SmartCompany.
The Optus data breach has reignited calls for an overhaul of Australian cybersecurity measures. In a statement to Parliament, Home Affairs Minister Clare O’Neil promised substantial reform efforts in the coming days and called into question the security requirements placed on Australian telecommunication companies. Meanwhile, the Coalition has called on Labor to introduce stricter penalties on cyber extortion and ransomware activities.
In recent years, companies across the globe have faced substantial penalties for failing to protect customer data. For these companies, fines are simply a slap on the wrist unless changes are made to their policies to address privacy concerns.
While companies face fines and reputational damage, consumers are left in the dark with no control over their identities. The implications are far-reaching. An individual’s financial wellbeing could be stagnated for years at no fault of their own. There is no amount of compensation that will alleviate the stress individuals face when their identity is exposed. Companies must proactively work to protect an individual’s privacy and personal information.
There will always be a trade-off between usability and security. To access certain services, customers must share their personal information and consent to their data being stored by a third-party service provider. In some cases, it is mandatory for a third party to store customer data to meet regulatory requirements and for billing and auditing. Nevertheless, they should inform their customer about the possible usage and storage of their data and ensure that they are collecting, processing and storing customer information based on informed consent rather than implied consent. The Australian Privacy Act (1988) governs companies like Optus. Despite several privacy protections for Australians, consumers still struggle to know if the external provider a company engages operates within Australia and is therefore governed by the same act.
Once a customer shares their personal information, the real responsibility falls on the company to be transparent about how they and their external providers manage customer data.
The case becomes more sensitive if identity information is involved.
Many Australian companies use local or global identity providers to verify customer information.
Consumers are not privy to this information and do not know where their information goes, how it is handled and by whom.
There is a lack of transparency around the data retention policies of these external providers that are processing the transactional data on behalf of the original service provider. In this scenario, companies must do their due diligence to understand how their providers use customer data and the security safeguards they have to protect this information.
No system is 100% secure. Even after implementing all security standards, systems will still get hacked, and data breaches will still happen. It is more important to be resilient than secure. A cybersecurity breach could happen to any company, no matter how secure they think they are. Resilience is vital to efficiently and effectively protect customers. Companies must pay attention to their cyber defence practices, implement robust data encryption, transmission, destruction and retention policies and ensure their customers are providing informed consent and can practice their right to be forgotten.
In the case of Optus, it must keep its customers’ telecommunication data for the life of their account and at least two years after it has closed under the Telecommunications (Interception and Access) Act 1979. While Optus has regulatory requirements and needs to show how it verified a customer using FTRA (100 points of ID), this data must be encrypted to ensure it is protected in case of a breach. Additionally, there must be transparent data destruction policies so customers can be assured that their information is no longer being stored once they have left.
Companies must reconsider how they store and retain data and reassess who they use to process data. Without a regulatory or legal requirement, data should not be stored. If it is, then customers must provide informed consent. There is considerable work to be done to empower consumers to regain control of their identities. Increased fines and penalties may discourage some, but ultimately, an overhaul of how companies safeguard customer data is key to addressing this challenge.