Clayton Utz cyber partner Brenton Steenkamp has seen his fair share of cyber attacks. Returning to Australia in October after a seven-year stint in Amsterdam, he has brought home tales of dealing with multiple large ransomware attacks in Europe, as well as the data governance lessons they provided.
Steenkamp said he has observed many Australian organisations are yet to assume the “paradigm shifting” view of risk around data estates that is necessary for future data governance, and soon, local CISOs could be caught in the regulatory crosshairs as a new global wave of regulatory action breaks on local shores.
He recommends organisations get on top of data estates using measures like better classifying data records, asking whether data needs to be retained and minimising data through data disposal. By involving all stakeholders, CISOs should also be able to present a data risk snapshot at any time.
Australian organisations are not facing up to the risks of their data holdings
Steenkamp said it has not been long since organisations, as the era of big data took off, wanted to gather as much information as possible. They would then have that information readily available to do whatever they needed to do, such as facilitating marketing personalisation and sales.
However, now there is a growing realisation, encouraged by growth in data breaches, this has brought “a new level of risk.” He said time and time again organisations are caught out, often not realising what data holdings they have in the bank and that their compliance and processes have “missed the risk.”
SEE: Download a risk management policy from TechRepublic Premium
While he said there is awareness in Australia around the nation’s Privacy Principles, a lower volume of regulatory action means organisations have not yet “felt the pain” in the form of fines or penalties — like CISOs or board members being held accountable — so the risks of data are not fully accounted for.
The OAIC’s case against Australian Clinical Labs
One wake-up call is the Office of the Australian Information Commissioner’s case against Australian Clinical Labs. In the case, the OAIC alleged the organisation, for its size, failed to take reasonable steps to protect personal information from unauthorized access or take a reasonable security posture.
Steenkamp said the case raises two issues. The first is how businesses are protecting the data they are holding, the typical domain of the CISO. The second is the effective assessment and management of risk associated with data from a cyber security perspective.
Organisations urged to understand the full extent of data risk
Australian organisations need to make a deeper, more holistic assessment of the risks associated with their data estates, according to Steenkamp. If organisations do not understand the risks associated with their data and tie that up with security, they have a “disparate point of view that could be risky,” he said.
“It is going to require a totally new approach around risk identification,” he said. “You can’t up the ante around your security posture if you’re not at the same time addressing the actual risk, the inherent risk the data holdings that you have embedded in your organisations and through third parties.”
This will require organisations to step back and look at their policies and processes around what risk is, what it means for the data they keep and how they can take reasonable steps to mitigate that risk. This is also something that will need to be assessed and implemented on a continuous basis.
The organisational risks that exist in an “assume breach” world
In February 2024, UnitedHealth, a major U.S. health insurer processing about 50% of U.S. medical claims, was successfully breached by hackers. Despite the payment of a ransom, the health and personal data of a “substantial portion of people in America” were stolen, according to a company statement.
Steenkamp said that while the investigation into the breach is still ongoing, it would appear that despite having sufficient security controls, the organisation was still breached. In situations like this, he said the question from a risk perspective is: What did you do behind the scenes in terms of data?
If organisations are not addressing the broader risk aspects of their data holdings and putting in place data governance and security controls to minimise and mitigate the risk, Steenkamp said what the UnitedHealth hack shows is that the “viability of the organisation is potentially harmed.”
A regulatory and enforcement wave could soon be coming to Australian shores
A wave of regulatory enforcement could hit Australian shores after current proposed changes to the Privacy Act are made law.
Steenkamp said CISOs could be pursued for negligence in cases where they misrepresent the organisation’s security readiness, fail to put in place appropriate controls or do not bring issues to the board’s attention.
In some cases, security professionals in foreign markets are reported to be avoiding being promoted into CISO roles altogether for fear that new accountabilities could see them put on the hook for organisational data and security failings, which at times can appear to be out of their direct control.
Global cases show a move to crack down on lacklustre data governance
Steenkamp said a number of examples from global markets could soon be replicated in Australia.
- The U.S. Securities and Exchange Commission is prosecuting the former chief financial officer of Uber for, among other things, misleading and giving wrong impression around the company’s data risk and security posture, putting at risk vast amounts of driver and customer data.
- The SEC also initiated proceedings against SolarWinds’ CISO Timothy Brown, alleging he lied to investors when he overstated SolarWinds’ cybersecurity practices and understated or failed to disclose known risks, which came to light after a major hacking event in 2021.
- Google was recently fined €250 million (US $271.73 million) by regulators in France for misrepresentations the company was found to have given about data it was capturing without consent from French publishers. Google was using the data to train AI models.
“I think this is a serious wakeup call,” Steenkamp said. “There is a tendency around the globe, in America, but also among regulators in Europe, particularly mainland Europe and Ireland, to take an aggressive stance against the whole issue around data,” he said.
Organisations will need to pass the “reasonable test”
The Australian Securities and Investments Commission has made clear that, in the event of data breaches, it will seek to set an example by pursuing through legal action any individual board members or executives whose companies are not as prepared as they should be for cyber attacks.
Steenkamp said that, ultimately, the “reasonable test” will be the bar Australian organisations need to meet. This will require organisations to have understood the specific nature of the data risk landscape they face, to have put in place adequate measures to safeguard data or to be moving to address any identified gaps in security that may be identified.
Practical steps that can help organisations get more control over data risk
There are practical steps IT and security leaders can pursue to get a better handle on data risk. Steenkamp said “less is now more” when it comes to data, and priorities include a continuous process of knowing the data you have, classifying it and only retaining what you need for as long as you need it.
This point is made clear by the thrust of the current Medibank and Optus class actions following major data breaches in those organisations. The cases are about, first, whether there were adequate security controls in place to protect data, and secondly, whether the organisations needed the data at all.
Steenkamp recommended organations should prioritise steps such as the following:
Get better at data classification and retention periods
Organisations should audit and classify the data records across their estate and implement practical guidelines on data retention and disposal. Steenkamp said time and time again, large data breaches involve data that organisations realise “they never would have kept if they knew about it.”
Engage in data minimisation rather than maximisation
Minimising data risk involves minimising data. Steenkamp recommended leveraging diagnostics and technologies to help identify where data holdings are and then to go about minimising that data, particularly where it is sensitive data such as health data or personally identifiable information.
Understand risk well enough to provide a risk snapshot
CISOs and commercial risk officers should be able to demonstrate or paint a picture of the risk posture of the organisation in relation to data at any point in time. This would show the organisation has addressed the necessary risks and that adequate steps are being taken to mitigate any potential gaps.
Make data risks and mitigations known to the board
Boards need to be informed of the data risk landscape. While it can be tempting to avoid this by asking if it is really a legal issue or a board issue, Steenkamp said if data is exposed, the first question a board will ask is why they were not informed or given necessary insight into the risks around data.