Dymocks is the latest in a recent slew of Australian companies that have suffered a data breach. More than 1.2 million customer records, including names, dates of birth, email and postal addresses. Despite quick action from the company to investigate and (eventually) resolve the situation, this breach serves as a sobering reminder of the ongoing challenges companies face in protecting user data in an increasingly complex digital landscape.
While cyber breaches are unfortunately common, the incident offers a chance to scrutinise our attitudes towards data security and privacy. Many companies, even those with advanced cybersecurity measures, still fall prey to breaches. It’s a compelling reason to revisit and reflect on the approaches to data–collection, retention, and sharing–across organisations.
The current state of data handling in business
Data serves as the lifeblood of modern businesses; however, its management has become increasingly complex due to data sprawl challenges and a web of regulatory barriers. With requirements set by laws like the European Union’s General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), businesses have to manoeuvre through a maze of compliance rules.
Data doesn’t exist in a vacuum; it is often shared and transferred across various departments within an organisation, as well as externally. Over time, data can be spread across personal employee devices, shared access drives, and elsewhere. While this interconnectivity may enhance operational efficiency, it also creates numerous weak points susceptible to exploitation. From the moment data is collected until it’s stored or erased, every point of transfer represents a potential risk of a data leak.
The evolution of data residency laws further complicates this already complex landscape. Data residency laws often dictate where sensitive data must be stored, often requiring it to remain within the borders of the country from which it originated. These laws can introduce vulnerabilities by forcing companies to store data in multiple locations, thereby multiplying potential points of failure.
Rethinking the organisational approach to data
There is much to learn from breaches that have occurred over the past 18 months. A proactive approach to data management requires both the use of smart technology and a change in processes, particularly in regards to data collection and retention.
As cybersecurity expert–and founder of the globally known ‘Have I Been Pwned’ site–Troy Hunt pointed out, one of the most effective ways to mitigate the risks of a data breach is to reduce the data you collect in the first place. “There were lots of opportunities to minimise the data that was collected,” shared Troy in a recent livestream, questioning the validity of some PII that is gathered from clients. Understanding what data to attain and ensuring it is fit-for-purpose, rather than superfluous to the cause, can be a useful protective measure. The less unnecessary data held, the less there is to leak, abuse, or mismanage.
Similarly, organisations have an opportunity to rethink their data retention policies. In the major breaches that have hit headlines, old customers still had records with PII on file, dating back many years (even as far as 2005). As Troy aptly shares, “what worries me is the data retention. There is clearly a process to change the state of the record to ‘inactive’. Could this not have been deleted instead?”
But organisational processes and policies alone do not make for a strong data management program. Technology also serves an important function. Services that allow companies to protect and securely hold data, while still allowing it to be used for operational purposes, or shared safely with regulators and counterparties, is a critical part of a robust solution.
The breaches serve as timely reminders to businesses and regulators alike. There’s a pressing need to update privacy laws and compel companies to adopt better practices in data security and privacy. The so-called ‘mosaic effect,’ as noted by the Office of the Australian Information Commissioner, highlights how seemingly trivial pieces of data can combine to create significant security risks. In a recent press release, Commissioner Angelene Falk said, “As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach.”
As we grapple with increasingly complex data residency laws and the ever-present risks of cyber-attacks, the time to act is now. It’s an opportunity to innovate and rethink how to collect, store, and secure the data that has become so integral to the modern environment.
Identitii helps financial businesses to securely collect and share information, bridging the gap between the data you have and the data you want. Learn more about how Identitii can assist you here.