Industry experts call for brands to adopt data minimisation strategies in wake of cyberattacks

Brands are putting themselves at needless risk of cybersecurity breaches with their obsession for collecting customers’ personal data and should instead be getting their data minimisation strategies in order, two industry experts agree.  

The comments were made to CMO in response to the recent Optus, Medibank and MyDeal customer data cybersecurity attacks, which have dominated Australian media headlines over the last month. In Optus’ case, more than 9 million past and present customers have seen their personal information captured by cybercriminals. In the evolving case of Medibank, it’s now estimated hackers have accessed the data of all 3.9 million customers across the Medibank and ahm Insurance businesses including highly sensitive health information.  

The massive data breaches have now led the Australian Government to increase penalties for Data Breaches to up to $50 million, from the former cap of $2.2m.  

Wongdoody chief experience officer APAC, James Noble, expected urgent reviews of security measures and data storage to now be happening all over Australia.  

“For businesses, this often means doing the basic job of making sure you’re on the right side of the law and your insurance policy,” he commented. “For consumers, it’s a tangled mess of T&Cs, opting in and out of data sharing you don’t understand, and trying to recall forgotten accounts and password from years back – where to even start?”  

But the biggest question for Noble was what is being collected in the first place. He applauded Attorney-General, Mark Dreyfus, for suggesting the least businesses could be doing for customers is stop collecting data they don’t need.  

“It’s evident to us all brands all over Australia have jumped on the ‘data is the new oil’ hype train and built data capture into their online, and often physical shopping experiences,” Noble said. “How often are you asked for an email address to receive your receipt? In doing so, these brands are putting themselves at needless risk of a security breach and annoying their customers to boot.”  

In response to queries on the data they’re collecting in market, both Optus and Medibank have both pointed out legislation requires them to keep customer records for up to seven years, including those of former customers. Noble was aware legislative requirement would fall into the necessary data collection camp. It’s the same case for data required for you to deliver the goods or services the customer is paying for, such as a postal address for ecommerce brands, he said.  

“But does a restaurant really need a birth date, or perhaps a place of work, before taking an online booking? Do consumers want to give the email address in every physical store they go in?” Noble asked. “Former deputy privacy commissioner for NSW, Anna Johnston, who now heads up Salinger Privacy, recently suggested a requirement to give email addresses and phone numbers to make in-store purchases could even be a breach of the existing Privacy Act.”  

What’s more, there’s a tipping point in consumers’ minds in overcollection of data for the purposes of digital marketing that can leave them going elsewhere, Noble warned. He cited new data from the SEC Newgate Mood of the Nation report, based on surveys taken amid the Optus and Medibank hacks which found one in five respondents had cancelled online subscriptions in the past month. Seven in 10 had changed an online password in the same timeframe, and more than 60 per cent set up two-factor authentication.  

“That’s the pointy end of the argument,” Noble said. “Distrust is growing around online security leading to consumers at best trying to find the most secure options for the services they do need/trust, and at worst just cancelling the ones they don’t.  

“The bottom line is businesses distracted by unnecessary data are doing themselves a disservice because less is more - especially if you want to avoid a cyber breach.”  

Noble was joined in his data minimalist view by Monash University Department of Software Systems and Cybersecurity, Faculty of Information Technology Professor, Carsten Rudolph. Professor Rudolph agreed what data is being stored today is usually not driven by security concerns and risk analyses, but instead by commercial interests for current or potential future business cases and legal data retention requirements.   

“We need to move beyond thinking about how we protect critical data sets to a strategy of data minimisation,” he said. “For a health insurer, this would mean to critically analyse what data is actually required to deliver the service. Which type of data needs to be readily available? What data can just be used for a shorter process without actually retaining it?  

“Further, critical customer health information should either not be stored by an insurer at all, or if it is required, it should not be easy to link it to the customer’s identity.”

Rudolph agreed the breaches we’re seeing now are damaging reputations and destroying customer trust.

“However, building trust is much more difficult. That no data breach or attack is known does not mean a company’s security is any better. If security is really bad, breaches might not even be noticed. On the other hand, if a company has great security, it is difficult to make this security posture visible to the customer,” he commented.

“Transparency, empowering customers to make informed choices on what data is stored and implementing unique security features can be ways to build trust. Then, if there is a breach, and companies can show that they were able to minimise harm, the damage to customer trust might be minimised as well. 

“But even better would be to only store the absolute minimum on data.”  

Measures to tighten security  

If there’s one thing rising cyberattacks should be telling us, it’s that all organisational systems are potentially vulnerable.  

“As long as we don’t focus on establishing fundamentally secure systems, there will be more successful attacks,” Rudolph warned.  “Therefore, in risk analyses, companies need to consider the case of networks and applications being breached.”  

Across the industry, there’s increased recognition of two-factor authentication as a must. Noble said brands that have a requirement to collect sensitive data may find themselves behind the eight ball if they don’t adapt to these sorts of approaches.  

“If we ask ourselves whether we’d prefer to shop somewhere that asks for only the information required and then uses simple two-factor authentication to keep things secure or fill in endless data fields and only ever be password protected, the answer should be pretty clear,” he said.  

Firewalls, multi-factor authentication and intrusion detection are essential, but not sufficient, Rudolph continued.  

“Minimising risk would then mean implementing approaches such as minimising data being stored or being available in the network, use advanced security mechanisms, such as encrypted data bases, securely de-identify data if identities are not required, and listening to security researchers to identify new and more secure ways to work with data,” he said.  

“Also, the data actually collected can be encrypted so that the number of data requests can be controlled, and malicious activities can be stopped, before a complete database is syphoned off.  

Rudolph called for a review of data sharing approaches. “In conjunction with these measures, laws or regulations should be established to enforce lesser data collection and encryption of data once it is collected,” he said.  

 “Currently, data sharing protocols as enabled through the Consumer Data Right framework do not give consumers the option to decide how long their data is stored, for example. It merely requires the company to seek sharing permissions and then the consumer can either give consent or decide for their data not to be shared. Consumers should be empowered to make informed decisions, customise sharing permissions and should be able to enforce the deletion of data.”  

In this vein, Noble noted Apple’s decision to introduce the iCloud masking email. In addition, every app downloaded in the Apple App Store must now list what information and data points it collects. This level of extreme transparency is what’s under consideration in the current Australia’s Privacy Act review.  

“Some data must be collected for the application to work correctly. But if the user wants to share less data, this could simply equate to less features, or even a pop-up question each time the app is opened, so the choice as a consumer is yours to make,” Noble said. “At any stage, you can view what data’s been collected, what’s linked to you directly, and what data is used for tracking. When deleting an app, you also have the option to remove the data collected.  

“In Australia, Up bank is also a great example of an organisation taking privacy seriously, only collecting the legal minimum required to verify and open an account. The website and mobile app use clear and concise language to outline what is collected and why,” he added.  

Google also pushes two-factor authentication, Noble said. And with a further tip of his hat to Australia’s Privacy Act review, he called for Australian legislation needs to get up to speed with digital privacy like Europe’s GDPR laws “to clearly define what information is being collected with optional data”.    

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page