As part of its new cyber security policy, the federal government will evaluate rules that require businesses to keep data as part of its response to the proliferation of high-profile data breaches that have occurred over the course of the past year.
As part of the 2023-30 plan, which was made public on Wednesday, it is mentioned that data is increasingly being exploited for extortion attacks and as a tool for coercion.
A mishandling of sensitive and essential datasets has the potential to inflict significant harm to Australia’s national interests, according to the document. “Malicious actors have been able to develop vast data profiles on businesses, individuals, and officials for the purposes of intelligence gathering and commercial purposes as a result of technological advancements.”
Specifically, the approach highlights the fact that companies have expressed their concerns with the fact that they are compelled to keep huge volumes of data for excessively long periods of time, which makes them potentially high-value targets for intrusion.
Following the data breaches that occurred at Optus and Medibank, which resulted in the exposure of tens of millions of customer records stretching back years, some of which were later found on the dark web, this was something that was brought up.
Telecommunications providers are required to keep a variety of customer information, including name, address, location information, call history, and other data, for a period of two years in order to comply with the controversial mandatory data retention legislation that was passed in 2015. This legislation was necessary in order to allow law enforcement to access the information.
In order to address the concerns of businesses, the federal government announced that in addition to the reforms of the Privacy Act that are already in progress, the government would also review the requirements for data retention that are mandated by federal legislation. The purpose of this review is to determine “whether existing provisions are appropriately balanced,” with the intention of either simplifying or minimizing the requirements for data retention.
In an interview with Australia, Alistair MacGibbon, chief strategy officer of CyberCX, stated that a reasonable rule of thumb is that companies cannot lose or misuse data that they do not maintain in the first place.
“We need corporations and the government to have that view, but that does not mean that no information should be collected or retained, including for the purposes of law enforcement,” I believe that having this conversation is a really sensible thing to do.
MacGibbon stated that there was a propensity for corporations to misread their collecting obligations, and that there was benefit in studying the laws that were already in place to determine whether or not they were still suitable for their intended purpose.
It is imperative that you never take a “set-and-forget” approach to any technological or legal scenario… The society undergoes transformations.
In addition to this, he stated that it was essential to differentiate between the data that the government needed to keep and the degree to which it could be freely accessible.
“Some of the most serious data breaches that we have witnessed involve information that ought to have been kept under lock and key in cold storage, rather than being stored in hot or warm storage within an organization, where it could have been stolen by criminals.”
In addition to this, there will be an investigation into the murky realm of data brokering, which is the practice of businesses collecting information on their customers and then selling it to other businesses. During the review, we will determine whether or not additional measures are necessary to address the risks.
The month before last, the state of California approved a law that will enable individuals to request that all data brokers in the state remove the information that is held on them.
According to MacGibbon, a crackdown on brokers would be very much appreciated news.
They did not understand or know that they were authorized, and they did not even know that they were providing their assent. “We have allowed an economy to develop in which supposedly cool services can be delivered off of the data that is collected from citizens,” In addition, there is an absolute requirement for a stricter regulation of data and brokerage.
The idea is abhorrent, yet in the year 2023, these are unregulated industries; we would never permit it to be disconnected from the internet.
