A trio of cybersecurity and occupational safety experts has charted six steps to better protect consumers from hackers.
With personal data considered a valuable commodity, the harvesting, storage and use of customer information has become one of the greatest challenges facing organisations.
Optus and Medibank have been high profile victims of cybercrime. Other attacks have been even more innovative, including a US casino that in 2017 was hacked via an internet-connected fish tank.
Peter Faber Business School lecturer Dr Kamanashis Biswas joined Australian Catholic University colleague Dr Trajce Cvetkovski and La Trobe University’s Dr Jabed Chowdhury to call for a review of data retention laws.
Dr Biswas said regulations had fallen behind the hackers and profit-hungry corporations must be held accountable over data retention.
“There are some grey areas around mandatory data retention regulations that, depending on the sector, requires subscriber information to be kept for up to seven years,” he said.
“As some former Optus customers discovered, personal information other than compliance data had been stored despite there being no legal requirement to do so.”
Dr Biswas argued hackers could be fought with these six measures:
- Data retention policy must be reviewed, and the Privacy Act has to be aligned with this policy. Currently, under the Privacy Act, no data retention policy is established.
- Australia should also consider the “right to be forgotten”, where individuals have the right to delete their data when they leave any service (except the data mandated by laws).
- After the compliance time period ends, organisations must take necessary steps such as the destruction or de-identification of personal information to comply with the legislation.
- Historical data needs to be archived in offline storage and can be retrieved when asked by law enforcement bodies.
- Under the Privacy Act, data must be stored in an encrypted form. However, it does not prescribe the type and standard of the encryption mechanism. A standard security framework must be designed and implemented to preserve the confidentiality and integrity of personal information.
- Data custodians must reflect on the 3Rs (Roles, Rights, and Responsibilities). Every organisation has a duty of care, a responsibility, from the time of data collection to the point of the deletion of the information.
“It’s a competitive marketplace for vendors,” said Dr Biswas whose research focus includes cryptography and blockchain technology. “But, with some collaboration between government and industry, inroads can be made in the war with hackers.”