“The Optus breach may prove to be the single biggest inflection point we’ve seen in this country for driving awareness and prioritisation of cybersecurity and data privacy,” Mr MacGibbon said.
ASX CIO Dan Chesterman says his company had been auditing the data it holds to see what it can purge. Jeremy Piper
“It’s been described as a ‘wake-up call’ by everyone from the prime minister on down, and without doubt cyber will have been the number one issue discussed around boardrooms and C-suites in the past fortnight.”
Rob James, former Vodafone and TPG group chief digital and information officer, and former Qantas group chief technology officer, said the “wake-up call” was evident in the surge in client calls he had received from companies asking him to help them navigate and understand everything from the definition of privacy data, to their overall obligations, and how to respond to an incident to avoid the public relations nightmare Optus has suffered.
However, he warned that businesses had faced similar moments of cyber clarity in the past, when breaches had occurred, and ultimately carried on as before, without making major process changes.
“I am seriously surprised about the lack of knowledge out there on even the basic understanding of what quantifies customer data. For example, if you were to simply lose a salutation, first name and last name, is that enough to consider privacy data? The answer is ‘yes’,” Mr James said.
“We have seen time and time again, this level of attention is quite transient. We saw similar reactions after the Toll malware attack, Service NSW breach in 2020, or even the Marriott and British Airways data breaches in 2018 that saw their share price impacted as much as 20 per cent after the attack.
“This is different in other countries where consumers have the right to request data held about them is destroyed so Australia is behind on this.”
— Charlie Hales, Waterstons.
“As an industry, we have a lot of work to do here and without government intervention, it will go painfully slow. I would like to see more in respect to mandated protections of customer’s data, and even a central control authority to protect and control the data.”
Commonwealth Bank’s chief data and analytics officer Andrew McMullan said the bank had long put a concerted effort into protecting its customers’ data, using what he called a “multipronged approach” to data privacy, security and protection.
Businesses have spent years compiling data on their customers, using it to inform business strategy and commercial offers.
In the banking sector, the sharing of customers’ data between institutions and fintech start-up is deemed so important for both customer service and product innovation, that a long-running “open banking” regime has been in force as the first step in a broader consumer data right, which will operate in numerous sectors.
Dr McMullan and his peers in companies of all sizes are now facing heightened focus on data privacy, while attempting to balance the use of data as a competitive asset.
“We have a responsibility to understand our customers, so we can provide exceptional service and responsibly meet their needs,” Dr McMullan said.
“This includes gathering and utilising customer data to make informed assessments, such as lending responsibly based on a customer’s credit assessment, while meeting local and international requirements around KYC (know your customer), AML (anti-money laundering) and more.
“Customers expect us to know them, to look after their best interests and to provide personal service and experiences that meet their needs – which involves responsible and innovative use of data.”
Chief information officer at the ASX Dan Chesterman said the share exchange operator has a head of data governance as part of his team, and has been undergoing a process of assessing what data it can dispose of.
He said he expected the Optus breach would lead to European-style data laws, which include a consumer’s right to be forgotten, and said ASX had already moved to adhere to stricter standards than other organisations, due to its designation as a system of critical infrastructure.
“We’d already been assessing some of the risk associated with some of the data that we held that, actually if you look at it, there’s risk associated with holding it but not a lot of upside with keeping it,” Mr Chesterman said.
“So we’d already purged and removed some of the data that fits in that category. And that was largely in relation to things like the European data laws which are stronger than the Australian data laws in terms of penalties that you’d suffer if you were to have a breach.
“[Since the Optus breach] we have been through the process, as I think every corporate in Australia would have done, of assessing all of the data that we hold, asking what APIs we have, what protections we have in place, and if there is any risk associated with the data that Optus might have of our customers or our employees.”
Director of technology services firm Waterstons Charlie Hales said Australian companies were subject to laws related to how long they have to store certain customer data for – such as some employee data needing to be retained for 75 years in case of a personal claim against workers’ compensation – but there was less rigour about when they should destroy data.
Lawyers recently told The Australian Financial Review that existing privacy laws meant companies were obliged to delete people’s data after they have used it for its original purpose.
However Mr Hales said any rules were loose and not enforced.
“This is different in other countries where consumers have the right to request data held about them is destroyed, so Australia is behind on this,” Mr Hales said.
“For example in schools in NSW the suggested disposal action for ‘student reference files’ containing information such as medical details and parental information is to retain it until the student reaches the age of 25, or for seven years, whichever is later, and then to destroy it. This is just suggested though, and is not enforced.
“There is very little to stipulate exact durations for how long companies can keep data, and it is definitely not policed … so, there is very little to protect people, and companies can interpret it and keep data for a long time.
“So implementing something to remove the data after a certain time period is going to be a big job for companies when it is mandated.”
Originally published at Melbourne News Vine
No comments:
Post a Comment