But if it was Optus that got hacked, why has my Medicare card been exposed? Observers and cyber security insiders can identify almost the precise moment that data security became a top-of-mind concern for Australians.

Reputationally, Optus was shattered. In just months, the telco lost some 65,00 subscribers, and it took just one more public calamity to topple embattled CEO Kelly Bayer Rosmarin. Financially, the company didn’t fare any better. Following the breach, Optus itself highlighted that the clean-up could cost $140 million.

Breaches like this are not unique to Australia, and like Australia, governments across the globe are tightening the regulatory screws on businesses to ensure the safe and ethical storage of data.

In 2020, British Airways was fined €22 million for a breach of customer data, including both credit card numbers and CVVs. That same year, Marriott International received a €20 million fine for a breach that saw 5 million unencrypted passport numbers stolen. In these circumstances, the companies held unnecessary information regarding their customers while also failing to adequately protect their data. As such, they were held to account under the European Union’s GDPR.

To understand Australia’s changing data protection requirements and the risks businesses face when they are too cowboy with their cyber security policies, Cyber Daily sat down with Brenton Steenkamp, cyber partner at Clayton Utz.

To the cyber expert, businesses will likely face legal challenges on two fronts if a cyber breach reveals unnecessary data retention behind poor security architectures. With the first being from the government and regulators, regarding compliance failure, and the other because of a class action from victims.

With the Commonwealth’s ambitious goal of making Australia the world’s most cyber secure nation by 2030, Steenkamp warned Cyber Daily that regulators will be even more motivated to hold businesses accountable for poor cyber security practices. His advice: be vigilant and ensure that everyone understands their roles and responsibilities in the event of a cyber incident.

VIEW ALL

“Examining the increasingly stringent cyber security regulations coming from Europe, it is clear that governments are taking stronger stances on the need to report on cyber breaches and within certain time periods, though there are risks with this,” Steenkamp said.

“Before going public with cyber breaches, organisations need to know what to report, and when to report. One thing that came to light with recent breaches is that your business actually needs to have the cyber structures in place that you communicate to clients and the regulators.

“Critically, these also need to be at the correct regulatory standards. If you miscommunicate any of these by acting too quickly, you run the risk of actually fuelling the type of class actions we’re seeing now.”

To Steenkamp, the ensuing reputational risk of falling victim to an attack and losing customer data could be even more damaging than the legal repercussions themselves.

“The biggest risk for any entity falling victim to a cyber breach is the reputational issue that arises. Whether you’re a government or private entity, you invest in building trust with your customers and supply chain. Once the trust is also breached, the trust people had in your brand will fall,” he said.

The comments reflected longstanding research conducted into the damage that a cyber breach can have on customer confidence. According to a PwC survey cited in Forbes in 2017, eighty-seven per cent of customers detailed that they would stop using an organisation if they believed that their data were not looked after responsibly.

The warnings may seem simple, but it is logical for businesses to ask, what exactly constitutes necessary data versus unnecessary data?

“If you can’t answer: why do I have a need for this data? What is the business case for storing a specific set of data? And what is the compliance around holding that data? Then you’re going to open the door to potential regulatory fines. Then you’ll have the second tsunami of class action lawsuits,” Steenkamp told Cyber Daily.

“Businesses must continually assess the need, the operational requirements and the compliance requirements for a set of data. If you meet these requirements, then ensure that you are taking the precautionary measures to reasonably safeguard that data.”

So what are the cyber expert’s top tips for businesses to keep their data safe, ensure they are compliant and protect themselves from regulatory and legal risks?

“You need to observe, own and overcome. If you don’t observe, you don’t know what your environment is. If you don’t take ownership, you don’t understand the requirements of the data you’re holding. If you don’t build risk strategies around your people processes and technologies, you won’t be able to overcome future risks,” Steenkamp said.

“On a tangible basis, businesses can implement three key areas. First is segmentation; this ensures that data has strict access control, ensuring that only the right people are accessing the right data points. Secondly, it’s that the data is encrypted. And thirdly, that you implement multifactor authentication to mitigate the risk of unauthorised access.

“These processes can be strengthened with businesses employing a defined data controller. This is more common in Europe, but not so much in Australia. This dedicated taskmaster or data protection officer takes ownership over that environment and has the clearly defined task of bringing the right processes to protect data holdings.”

The comments come following an increase in the maximum penalties for a business involved in serious privacy breaches, with the Commonwealth in 2022 increasing the maximum penalty to the greater of $50 million or three times the value of benefits obtained from misuse of information.

Lawyers Weekly will host its inaugural Partner Summit on Thursday, 20 June 2024, at The Star, Sydney, at which speakers will address the range of opportunities and challenges for partners and partner equivalents, provide tips on how they can better approach their practice and team management, and propel their businesses towards success. Click here to book your tickets – don’t miss out! For more information, including agenda and speakers, click here.