Data: The asset that is quickly becoming the liability?

The Optus data breach has been well publicised since it occurred on September 22nd. And the fallout continues for the organisation and its customers. This extremely challenging time for Optus employees and the people impacted by the data breach provides Australian businesses and Australian consumers with a great learning opportunity going forwards.

The fallout

The Federal government has already directed Optus to cover the cost of document renewals.

National law firm Maurice Blackburn has lodged a representative complaint with the privacy watchdog, the Office of the Australian Information Commissioner (OAIC). The OAIC has subsequently, launched its own investigation into the data breach, in conjunction with the telco regulator, the Australian Communications and Media Agency (ACMA).

As outlined by the Australian Financial Review (AFR), the hack is likely to cost Optus millions. Optus will lose customers to competitors, have to cover the cost of fixing systems, and compensate customers. AFR shares examples of when Sony’s data was hacked in 2015, and it was ordered to pay affected employees a total of US$8 million.

The Australian Federal Police has launched Operation Guardian, ramping up digital surveillance with the aim of helping impacted customers and safeguarding Australians against cybercrime.

What must organisations do?

These are our top 7 priorities we recommend you start with:

  1. Interpret policy to define privacy and retention obligations
  2. Quantify the risk of data breaches versus the benefits of keeping it
  3. Don’t confuse Information, data, and document policies
  4. Don’t confuse data archiving with data deletion
  5. Monitor data access as well as data storage
  6. Learn from PCI-DSS
  7. Assign clear accountabilities

Interpret policy to define privacy and retention obligations

One of the biggest challenges with data is translating several policies into defining what is considered private data and how long it must be retained.

Organisations need to review and interpret Australian Commonwealth law through The Privacy Act. There are also state-level Privacy and Data Protection Acts to review. These will need to be complemented with industry-specific policies. For example, the Telecommunication Interception and Access Act for telcos, and Consumer Data Rights for financial services, utilities, and soon telcos. And these exclude employee-related policies as defined by FairWork.

When interpreting these laws, and policies, organisations will need to determine what quantifies as customer data? More importantly, what quantifies as necessary versus unnecessary private customer data? And what needs to be retained for what purpose and for how long?

One of the most challenging interpretations is around de-identification. Organisations will need to understand whether de-identified data is classified as private customer data.

Not all data is equal

Many organisations have invested time and financial resources into collecting data on their customers in the hope that their data scientists will one day find that golden nugget.

Businesses should reflect on why they are collecting it in the first place. A good place to start is with the questions they want to ask of their data to inform business strategy, to provide better products and services.  Then work out which private customer data is required? As the ASX Chief Information Officer, Dan Chesterman, points out in the AFR, organisations need to assess the risk associated with holding data against the upside of keeping it.

Don’t confuse information, data, and document policies

We see organisations often confusing structured data and document policies. Many organisations have multiple policies spanning information, data, knowledge, content and more. It is quite common for businesses to have both data retention policies and document retention policies, with the latter usually having an internal lens. Yet, it looks like documents and images with personal customer data have had the biggest impact in the Optus breach.

Organisations would do well to consider customer data policies and employee data policies rather than broader policies that are left to further interpretation.

Archive does not mean delete

How many sleeper databases do you have? Historical data and legacy systems are stored on low-cost storage, and essentially forgotten about, usually because “there may be a need for it in the future.” Out of sight, out of mind, for you – is a potentially lucrative target for hackers.

Monitor data access as well as data storage

With data APIs, data analysis tools and reporting tools, the many ways to access data has grown significantly over the years. Even data platforms are making production-like data more accessible for exploration. When translating policies into procedures, it’s not just about retention, but also about access.

Data APIs, especially external ones, must be tested for hacks as well as normal business. Have a clear approach to penetration testing.

Data architecture should look at how private customer data is being replicated across systems and environments within those systems.

Learn from PCI-DSS

Most organisations have had to interpret and implement Payment Card Industry Data Security Standard. Organisations needed to translate policy into business processes, classify data, find the sensitive data, and implement de-identification and retention procedures.

Whilst PCI-DSS was easier to interpret than the many privacy policies currently in play, there are many learnings to reapply.

Assign clear accountabilities

One of the best places to start is assigning clear accountabilities. Unfortunately, when it comes to data privacy and retention policies, it reminds me of the story of Everybody, Somebody, Anybody and Nobody.

To keep it simple:

  • Risk and Compliance teams, with the help of the Legal team, are best placed to interpret the various federal, state and industry policies, into internal policy and quantify the potential downside of data.
  • Retail and Marketing Operations are best placed to ask good questions of customer data, and thereby estimating the upside of data. They are also best placed to understand what can be achieved through de-identified cohorts, versus what private customer data is required for personalised services.
  • IT is best placed to implement policies into automated tools for retention, access, de-identification, and monitoring.
  • Centralised roles such as Chief Information Security Officer and Chief Data Officer can help organise effort.

What can individuals do?

Aside from the good practise of looking for suspicious online activity, as individuals, we must be more conscious about what we want from the businesses we interact with.

Sharing personal identity in order to score a certain number of points for a particular service, may be a necessary evil. When sharing lots of private information in the hope of personalised services, we may want to question the upside of that versus the downside of handing over personal information.

An opportunity to learn

The biggest confusion seems to be why Optus was holding onto the data of past customers. This will come out in the various root cause analysis and investigations. And politicians have already been vocal about tighter controls and harsher penalties for companies that unnecessarily store private data. Initial surveys suggest that 77 per cent of voters support stronger privacy rules.

As the ABC points out, the irony is that the Telecommunication Interception and Access Act (TIA Act), part of Australia’s metadata laws, which were introduced in the name of national security, have potentially led to the data storage that has now put our privacy and online integrity at risk! Let’s hope the push for tighter policies and controls is based on actual learnings, and not on sentiment nor political opportunity for greater surveillance and punishment. Most importantly, let’s hope we don’t create further chaos, or open up national security issues we were trying to solve in the first place.

We feel for the employees at Optus, and the 9.8 million people for whom there is uncertainty surrounding how they have been exposed to identity fraud. At a minimum, the Optus data breach has raised awareness for both consumers and organisations.

Facebook
Twitter
LinkedIn
Email
Print

We believe the best results come when data enables people.

Contact us to find out how we can enable yours.