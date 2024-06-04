Another day, another data breach. Australian Company MediSecure recently fell victim to a major data breach, with customers' personal and health information impacted.
More recently, Ticketmaster also suffered a breach of its data alleged to contain PII and partial payment details of up to 560 million customers.
While unconfirmed at this stage, it's likely that much of this information should have already been disposed of, and so not exposed in these latest events.
That's the case with most data breaches - organisations hold onto swathes of data, well past its use-by date, which inevitably ends up in the hands of hackers to use to demand ransom or sell on the dark web.
It's something that I'm unfortunately familiar with. I graduated from the Australian National University in 2005.
Fast forward to 2018, and my private information was caught up in a breach on the university by a foreign state actor - old records that should have been deleted after seven years were instead retained, and then leaked.
This is a common occurrence because cyber security efforts typically focus on reducing the likelihood of a breach happening.
Gartner forecasts Australian companies will spend $7.3 billion on security and risk management products in 2024 - up 11.5 per cent on last year - and firewalls and encryption are high on the priority list.
However, with data volumes increasing exponentially, it is critical that robust cyber security measures are balanced against ethical and practical data management, to reduce the impact of an inevitable breach.
And laws are changing to mandate this shift in focus.
It has long been accepted that everyone can be breached.
Creating an impenetrable system is unrealistic as the bad guys will always be a step ahead, and there will always be new zero-day vulnerabilities, misconfigurations, human error, or trusted insiders that can cause a data spill.
That means Australian companies need to not only put up their walls, but also reduce the damage that can be done when those walls are inevitably breached. This is where data minimisation becomes essential.
Data minimisation involves avoiding the collection of unnecessary personal details, duplicate data, excessive backups, or offline copies, and only collecting what is needed.
It also means limiting the number of people with access to the data, their privileges, and the duration of their access.
Finally, effective data minimisation requires robust policies and governance around records management and retention.
For many years, companies have stockpiled information for various purposes - to improve corporate decision making, create accountability, and personalise experiences for their stakeholders, to name a few.
But by reducing the amount of data in the network, companies minimise what information stands to be stolen, and ultimately discourage attempts to access systems.
Hackers want you to have as much data as possible. Less data equals less incentive for them, which is why organisations who don't have a good data disposal process are at much higher risk.
Data minimisation isn't just about fulfilling legal obligations, such as reporting to national frameworks like the OAIC's notifiable data breach scheme or meeting the requirements of GDPR or the consumer data right.
As well as reducing the potential harm of a breach, it's a crucial mechanism to gaining a full understanding of the data an organisation holds, which subsequently enables faster response and recovery - quickly determining which parties are affected, and having the ability to alert those parties that their information is compromised.
It also helps with accountability when it comes to insurability.
Organisations holding sensitive amounts of information for extended periods of time, and who don't have robust disposal processes and systems, typically face higher cyber insurance costs.
These organisations may also be less likely to be paid out by their insurer despite having taken other cybersecurity measures, as they are deemed not to have taken adequate measures to establish granular visibility into the information in their custodianship.
Given the complexity and volume of data, technology plays a pivotal role in identifying valuable and sensitive data.
AI and automated decision-making tools enable autoclassification of all data, and the management of associated risks.
But it is crucial to keep humans in the loop. With something as risky as data governance, removing people completely from the process is dangerous.
To mitigate risks such as AI bias or malicious use, AI-assisted processes must be explainable and transparent. This transparency allows decisions to be challenged by humans, protecting vulnerable communities from potential harm.
In an era where data breaches are a persistent threat, data minimisation is fundamental to reduce impact.
By limiting the amount of data retained - and knowing when to responsibly dispose of it - organisations can protect themselves and their stakeholders, ensuring inevitable breaches do not result in catastrophic damage.
