Recent high-profile cyberattacks have made retailers wary of data security concerns, but not enough businesses are taking action.
In the wake of recent cyber-criminal activity affecting millions of Australians – and harming the reputations of major businesses – data security should now be front of mind for business leaders. Many retailers need to tighten business practices and take action in order to minimise exposure to cyber risks.
Concerningly, they’re not.
From our conversations with businesses, we’re seeing some organisations have a good understanding of what’s required, while others have come to us because they recognise data security is not within their expertise and they need external support. Increased regulatory requirements are on the horizon, including proposed reforms to remove small business exemptions under the Australian Privacy Act.
There are mounting calls to bring Australia’s privacy laws in line with more stringent European standards, which may indicate where the Commonwealth Government’s regulatory direction is heading. Irrespective of potential legal requirements, it is prudent for retailers to consider existing compliance requirements as well as customers’ expectations. Public reaction to recent cyber-attacks indicates a growing concern among Australians about the handling of their personal information and sets a clear expectation for businesses to manage data responsibly.
Safeguarding data is best achieved via a proactive approach. Regular reviews and updates of processes and policies for data retention, and regular deletion of unused data or inactive customer accounts, is an important step to protect businesses, customers and data from cybercriminals.
It is an existing requirement under privacy principles for businesses to take steps to destroy – or ‘purge’ – data they don’t need. Yet, a recent finding by the Governance Institute of Australia indicates that less than a third of organisations regularly purge their data[1].
What are the steps you can take right now as a business leader?
- Make use of free resources
There are plenty of helpful resources that have been created to assist businesses. The Australian Cyber Security Centre (ACSC) is a good place to start.
- Seek advice
Speak with your existing IT advisors or engage with a reputable provider who can review your data processes. Make sure your approach to holding data is as secure as it could be. Ask your lawyer to identify any additional risks and ensure the processes comply with relevant privacy laws.
- Begin conversations among leadership
If you’re not already talking about data security, retention and exposure with your leadership team, start now. Explore questions including: What data do we have? How long have we held it? How recently have we used it? When should we delete it?
- Start making small changes
A plan to review and delete data is a positive first step. Determine a reasonable period of time to keep data. This will vary by industry and business type and should be considered among other business needs including legal requirements and statutes of limitation.
- Review your data collection strategy
How much data do you collect – and do you really need it? In addition to compliance with existing requirements under the Privacy Act, take the time to consider if you’re collecting more data than you need, or if you are even using the data you’ve collected. By limiting the information your business holds, you’ll simultaneously limit your exposure to cybercrime.
- Small by name but big by nature
It’s quite likely smaller businesses, which are currently exempt from some requirements in Australia’s Privacy Act, will soon need to comply with privacy protections already required of larger businesses. Small businesses should consider acting as if the Australian Privacy Principles apply to them now, putting best practices in place and demonstrating to customers that they take data security as seriously as big business.
As cyber-attacks become more prevalent and sophisticated, business leaders must regularly turn their minds to deleting unused data and inactive customer accounts. Failure to do so creates a risk of breaching Australian privacy laws and could leave businesses, and their customers, vulnerable to ongoing cyber threats.
Tasha Naige is principal at leading South Australian commercial law firm, DMAW Lawyers.