Informa Australia is part of the Informa Connect Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.
21 Nov 2022, by Amy Sarcevic
With cyber criminals stepping up their assaults on Australian corporations – and the privacy regulator soon to receive new powers – the prospect of a data breach has become acutely worrying for business leaders in recent weeks.
While ransomware attacks have been on an upward trend for several decades, the recent coverage of Optus and Medibank has shone a spotlight on corporate accountability, leaving many businesses wondering how to best manage their data.
Partner and Head of Cyber at leading Australian law firm Hall & Wilcox, Eden Winokur, says while data protection laws may seem simple, there are often ambiguities when putting them into practice.
“Australian Privacy Principle 11 requires companies to take reasonable steps to protect data and, subject to some exceptions, delete it when it no longer serves the purpose for which it was collected. For some businesses, it isn’t always clear where that line is – especially when that data is subject to other obligations from the realms of tax or employment law, for example.
“It could be argued that once a customer account has been created, photo copies of drivers’ licenses and passports should be erased. However, there might be other instances where a corporation needs to hang on to that data to verify an account. It can be a complex area and the regulator does not always agree with a corporation’s perspective.”
Acute threat
Getting a handle on this issue is becoming increasingly important. To date, the OAIC – the organisation that investigates corporate accountability in data breaches – has taken a judicial approach to penalising companies, having never levied the (current) maximum penalty of $2.2 million.
Under a proposed amendment to privacy legislation, currently being considered by the Parliament, the privacy regulator may soon be able to seek to impose a maximum penalty of $50 million, among other new powers.
Meanwhile, the threat of a cyber attack has never been greater with 76,000 cyber incidents reported to the Australian Cyber Security Centre in the 2022 financial year, a 13 percent increase from last year.
Mr Winokur says that while cyber risk will never diminish to zero, disastrous consequences can be avoided with the right approach. Ahead of his speech at the Australian Privacy Forum, he gives these tips.
Plan ahead
A well-rehearsed plan can mitigate the risk of fines or reputational damage following a cyber attack. As part of this plan, Mr Winokur recommends mapping out the entire legal landscape and understanding the intersections between different realms of law that involve data retention.
“Companies should get a foothold on exactly what regulatory and legal obligations there are under customer and employee contracts – and they should do it before they are dealing with a cyber incident.
“Following an incident, companies should be focusing on the response instead of having to review legal contracts to assess notification obligations. You want to have that properly prepared so you can start communicating with the relevant regulators, clients and members of the public in a timely manner.”
Treat cyber risk as a company-wide matter
Leaders must also recognise that cyber risk is a whole-of-business issue and not just a matter for the IT department.
“Cyber risk management should involve a company’s entire executive leadership team,” Mr Winokur said.
“Many companies have work to do to ensure that they are meeting legal obligations from a privacy perspective from the time they start collecting information from customers.
“Companies should focus on ensuring all staff understand privacy obligations and ensure they have systems in place addressing the data life cycle.”
Strategise data deletion
The data life cycle should include a plan about when data records are purged, Mr Winokur recommends.
“The laws around data deletion have existed for a while, but many businesses probably have work to do in relation to how and when delete is deleted or de-identified.
“Deleting records that are no longer needed for the purpose they were collected is one of the fundamental principles of the Australian Privacy Act, so it is important businesses take an objective approach to this.”
Further recommendations
Sharing more expert advice on how businesses can navigate the complex data management landscape, Eden Winokur will present at the Australian Privacy Forum, hosted by Informa Connect on February 16, 2023.
Joining Mr Winokur on the stage are the NSW Privacy Commissioner, Samantha Gavel, Executive Manager, Legal MarComms and Research at eSafety Commissioner, Morag Bond. The event will be held at the Radisson Blu Plaza Sydney.
Informa Connect Australia is the nation's leading event organiser. Our events comprise of large scale exhibitions, industry conferences and highly specialised corporate training.
