In September, telecommunications company Optus revealed it had suffered a data breach resulting in the personal details of around 10 million current and former customers being stolen. This was followed by another serious breach in October at Medibank when criminals obtained personal healthcare records belonging to more than four million customers.

A third high-profile breach occurred earlier this year at one of Australia’s largest pathology companies. Australian Clinical Labs revealed cybercriminals had obtained medical data relating to thousands of patients after gaining access to the company’s core IT systems.

In response to this wave of attacks, the Australian Government has announced plans to amend privacy laws and increase penalties for companies suffering major data breaches. The penalties could be as high as $50 million, three times the value of the benefit obtained through misuse of the data, or 30 per cent of the organisation’s turnover.

The attacks have led to many people asking two basic questions: why do companies retain such large volumes of personal data for extended periods, and what measures do they have in place to protect it?

Data governance is critical

The retention of personal records requires businesses to have in place effective organisation-wide data health with data governance policies and procedures. In the recent attacks, it took victim organisations days or even weeks to fully understand exactly what data had been accessed and stolen. The lack of a comprehensive, consistent approach to data governance slows processes further and results in significant risk exposure.

Such delays are simply unacceptable. It is vital businesses understand exactly what personal data is being retained, where it is being stored, and who has access to it. Failure to do this undermines public confidence and could result in customers shifting to rival firms.

Effective governance policies should also determine the length of time personal data is retained. The Medibank breach revealed the company has been keeping records for up to 10 years, even after people had ceased to be customers.

Such long-term retention appears unnecessary and results in a larger pool of data that can be accessed and stolen by cybercriminals. Policies should be amended so that required information is only retained for as long as it is legally required, and then deleted.

Businesses need to remember that data governance needs to be an ongoing program rather than simply a one-off project. It’s not something that can completed within a given period but rather must become something that is continuously monitored and managed.

A framework should also be created that comprises the right checks and balances to ensure data is only accessed by authorised people who have a reason to do so. Many organisations also find it beneficial to create a data catalogue that logs the metadata details of all data being stored.

A data catalogue can be used to gain insight into exactly where data has come from, how it is used, and where it is sent. Should a breach occur, this can make determining the extent of the damage that has occurred much easier.

Organisational data culture

Organisations also need to realise that effective data governance and security requires more than just technology. What is also often needed is a change in culture.

Bringing everyone to the same understanding of the data and how to handle it fosters a data-driven culture. Data culture is the collective behaviours and beliefs of employees who share a common understanding of enterprise data and use data for their decisions and operations in a way that is compliant with internal policies and external regulations.

Staff need to understand their roles in maintaining security and the importance of keeping personal details – especially things such as health records – protected at all times. Education about issues such as phishing campaigns should be undertaken on a regular basis.

An effective data culture should also result in scheduled reviews of exactly what customer data is being retained. Items such as passport and driver licence numbers, home addresses, and phone numbers are often collected and stored for far longer than is actually required.

If an organisation has a large volume of stored customer data across multiple locations, undertaking such a review is not a trivial task. Sufficient resources must be allocated to ensure that all data is identified and carefully assessed to determine whether it should remain or be deleted.

Maintaining an effective shared data culture is an ever-shifting balancing act between control, compliance, and access.

The wave of serious data breaches suffered by Australian businesses during 2022 is almost certain to continue in the coming year as cybercriminals work to hone their tactics and techniques. For this reason, an organisation-wide data health strategy is necessary to enable advanced controls that ensure data is compliant, secure as well as accessible, and understandable. But this more significant control on data does not mean losing sight of the fact that when data across the organisation is healthy, it’s easy to drive business objectives with data.

Taking preventative steps now can reduce the chance of large-scale losses and customer distress in the future.