“Data is the new oil”

Over the last decade, the constant refrain from the digital media is that data is an asset to be leveraged, in order to generate value for the business.
Data is an asset. What is its value? | by Adam Votava | Towards Data Science

As a product or input of business, data is being monetized in multiple different ways – creating new revenue streams, delivering competitive advantage, and streamlining operations. It’s small wonder that businesses are engaging in rampant data harvesting, including harvesting our most personal data.

Personal data is in especially high demand because it allows businesses to understand more about the behaviors and needs of their customers and enables them to influence their behavior.

Personal information is also highly attractive to external agents wanting to use our personal information for more nefarious reasons including:

• Targeted advertising
• Spam campaigns
• On-selling to third parties
• Influencing our behavior
• Identity theft

Monetizing Your Personal Data | January 2022 | Communications of the ACM

Australians’ data is not adequately protected

Many (if not most) Australian businesses do not adequately protect our personal data, in part because they don’t actually know what personal data they are holding.

We have found that most businesses we work with have limited visibility of their data holdings and are not understanding the scale and complexity of their data landscape.  Data proliferates across their network directories and cloud-based systems, as spreadsheets, notebooks, Access and SQL databases, in SharePoint Lists and Libraries, Teams Sites, data warehouses and lakes.

Most organizations hold hundreds of databases but lack insight into what data they hold; what purpose they serve; what system / server they reside in; who owns and manages the database; who has accesses to the data.

The scale of the data landscape only becomes apparent when organizations start the process of auditing and recording their data into an Information Asset Register. 

The cost of mismanaging personal data has been minimal

Until now, there has been minimal financial consequences for Australian businesses for the mismanagement of personal data.  The maximum fine for serious or repeated breaches of privacy currently stands at $2.2 million, which is small change for most large corporations.  And smaller businesses with an annual turnover of $3 million or less are not required to notify the privacy commissioner about exposures of personal data.

Compare this with the United Kingdom and Europe, where the capture and management of personal data has been highly regulated since 2014, and there are significant financial penalties for data breaches or non-compliance. For example, the General Data Protection Regulation GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organization’s global annual turnover.

Australian businesses have not had to face that level of financial risk Although our regulations are modelled on the GDPR. The activities of the Office of the Australian Information Commissioner OAIC are constrained, because of the limited scope of the Privacy Act 1988 and lack of funding.

Privacy Act Review – Issues Paper – October 2020 (ag.gov.au)

Under current legislation and the previous government’s preferred a model of self-regulation: 

• large companies are only required to disclose personal data breaches to the OAIC but not to the public.
• There is no requirement for companies to establish an accountability framework nor to report against an accountability framework to the OAIC
• There are no registration requirements in relation to the cross-border transfer of personal data to international companies.
• There are no formal requirements for companies to enter into formal agreements with third party processors of personal data( ie call centers, cloud providers).
• There are no formal requirements for companies to appoint data protection (privacy) officers, no requirements by law regarding the responsibilities of data protection officers.

But the costs are mounting

In the wake of the recent tsunami of Australian data breaches, the balance of reward to risk is changing.

Regulatory penalties

Australia’s new government has telegraphed that they will be fast tracking amendments to the Privacy Act including increasing the financial penalties for companies engaged in serious or repeated privacy breaches, to at least $50 million. No detail is available at this stage but expect to see significant changes to notification laws for disclosure of breaches for all businesses.

Optus and Medibank hacks prompt government to increase fines for massive data breaches to a minimum of $50 million – ABC News

Financial and reputational costs

The financial fallout from recent data breaches appears to be growing substantially.

Two law firms are considering class actions against Optus over the recent data breach which exposed the personal details of millions of Australians.

And customers have started voting with their feet – 10 per cent of those using their mobile service have left the company since the breach.
Optus Data Breach – Lest We Forget (synercon.co)

Medibank’s share price plunged 21% since the company disclosed the breach, and management estimates that the breach could reduce their bottom line by $25 – 35 million.
Medibank data breach – Lest We Forget (synercon.co)

On a lesser scale, these companies will also have to cover the substantial costs of replacing passports and driver’s licenses, along with offering free credit monitoring services to their affected clients.

Taking a more serious approach to data security

It goes without saying that Australian businesses will need to put a lot more effort into personal data protection. Currently there exists a low level of understanding about what their data protection responsibilities are. Perhaps with stronger fines and mandatory disclosures of breaches, Australian business may start to take data protection seriously and invest in building capability in this area.