KORDIA
Australia's Cyber Security Act
New legislation aims to bolster the security and resilience of Australia's cyber environment and critical infrastructure.
Australian lender Latitude Financial has become the latest victim of a massive cyber-attack, with the company revealing that over 14 million customer records, including passport numbers, financial statements, and driver's license numbers from Australia and New Zealand, were stolen from its systems. This makes it the biggest data breach ever recorded in New Zealand. Some of the stolen data was over 18 years old.
This brings into sharp relief the “digital reality” priority from the Institute of Directors Top 5 issues for directors in 2023.
This incident highlights the crucial issue of data retention and cybersecurity for boards, who must remain vigilant in protecting sensitive personal information from cyber threats. According to the 2022 IoD Director Sentiment Survey, over half of directors reported that their boards are not sufficiently prepared for a digital future, with many having a complacent "nothing to see here" attitude.
Just over half of directors (54%) reported their boards’ regularly discuss cyber risks and are confident their organisation has the capacity to respond to a cyberattack. Only 46% are regularly discussing the organisation’s privacy practices and risks. Further, only 37% of directors reported their boards have the right capability to lead their organisation’s digital future.
Directors must understand the risks and oversee the management of cyber threats. While it is important to establish clear policies and procedures for managing cybersecurity risks, boards must also ensure that their approach evolves to keep pace with the ever-changing threat landscape.
To do this, directors must commit to their own education and stay informed. They need to understand the exact risks facing their organisation, how prepared it is for an attack, and how quickly it can recover from a potential cyber incident. Participating in scenario planning exercises can help boards gain confidence in management planning, decision-making, and their ability to deal with a security breach.
Moreover, boards need to be aware of possible legal action if their organisation fails to take adequate steps in effectively managing cybersecurity risks. They must consider their oversight role in the context of discharging their duty of care responsibilities. The IoD’s Cyber risk practice guide provides guidance for directors on understanding and approaching cybersecurity in their organisations, including crucial questions to ask.
The Latitude incident has also raised questions about why many businesses hold on to old customer records and how they store data, including identity documents. The Deputy Privacy Commissioner has emphasized the importance of considering data retention as a key issue. In a statement in response to the Latitude incident, she has said:
“Data retention is the sleeping giant of data security. There are consequences for holding onto data you no longer need. All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need. The risk is simply too high for your customers and your organisation. Don’t risk being a hostage to people who make it their day job to illegally extract data.”
Organisations must ensure that personal information is collected lawfully, with the individual's consent, and for a lawful purpose. They must also take reasonable steps to ensure that personal information is accurate, up-to-date, and secure, and must not disclose it to third parties without the individual's consent.
Boards need to talk with their management team about holding identity documents so a conscious decision can be made about whether the organisation needs all the information it holds. One day technologies like blockchain, zero-knowledge cryptography and biometrics may enable individuals to own and store their own information and provide it to organisations in a safe way. In the meantime, as an alternative, organisations may also want to consider using a service provider to independently acquire, verify, and store identity documents. By remaining vigilant and ensuring cybersecurity is always on the board's agenda, directors can help protect sensitive personal information and keep their organisation well-positioned to manage identity document risks.