A REVIEW OF DATA GOVERNANCE REGULATION, PRACTICES AND CYBER SECURITY STRATEGIES FOR BUSINESSES: AN AUSTRALIAN PERSPECTIVE

(1)

1

A REVIEW OF DATA GOVERNANCE REGULATION, PRACTICES AND CYBER SECURITY STRATEGIES FOR

BUSINESSES: AN AUSTRALIAN PERSPECTIVE

Thilla Rajaretnam^1*

1 Western Sydney University, NSW, AUSTRALIA

*Corresponding author: [email protected] Accepted: 12 February 2020 | Published: 6 March 2020

Abstract: Cyber risks such as cybersecurity breaches, cybercrimes and cyber terrorism are hot topics around the world. Cyber adversaries are regularly targeting government networks and businesses. The problem is not only an IT issue but a significant governance issue. Good data governance practices and cyber-security infrastructure frameworks assist in managing some of the cyber risks and threats without the need for regulatory requirements on corporations and government agencies. However, the maturity of cybersecurity practices varies across government institutions and businesses organisation with many such entities facing significant exposure to cybersecurity risks. There are also inconsistencies in the application of data governance laws, and strategies and regulators are facing significant challenges in regulating and monitoring cybersecurity. As the scope is broad, this paper will only examine Australia's cybersecurity laws and regulation, and if Australian businesses need to rethink their data governance practices and cyber-security strategies. This paper will first map the cyber threat environment in general;

examine Australia's current cybersecurity framework and strategies for data governance, and then examine if the Australian framework for cybersecurity meets similar provisions and strategies set under the European Union's General Data Protection Regulation. It concludes with some recommendations for incident response strategies for businesses to implement in order to mitigate and defend against cyber risks.

Keywords: Data governance, regulation, data security practices and strategies

1. Introduction

Government agencies and businesses need consumer information and create a market for information whose providers are the consumers themselves. Individuals provide information willingly for legitimate purposes — the information collected range from personal information and sensitive information about individuals and organisations. Personal and sensitive information includes a wide range of information such as names, addresses, birthdates, email, social security numbers, employee IDs, medical records, bank account details, photos and personal videos.

Personal data include a wide range of information such as names, addresses, birthdates, email, social security numbers, employee IDs, medical records, bank account details, photos and personal videos (European Union General Data Protection Regulation (GDPR), 2018; Australian

(2)

2

Government, Office of the Australian Information Commissioner, 2017). Data collectors using data mining technologies track the digital footprint of every Internet and mobile user. Data collectors include individuals, businesses and the public sector agencies. The data collected are then shared with more and more third-party partners, suppliers and contractors within Australia and globally. The indiscriminate harvesting of online digital data using data mining and behaviour tracking technologies, the matching of data to create a customer profile and the creation of digital dossiers without the consent is an invasion of privacy and pose risks to Internet users.

In the digital age, data governance and data security are crucial. Cybersecurity breaches and cybercrimes have a massive impact on businesses and consumer confidence and trust. Government agencies and businesses all over, including in Australia, are facing significant challenges to mitigate these cyber risks. Managing the Internet and cyber-security is not only an IT issue but a significant governance issue that requires ongoing broad level governance and oversight. The lack of a comprehensive and harmonized international and domestic legal framework and strategies, a lack of adequate domestic oversight on businesses and government agencies and non-compliance with data governance practices and guidelines by individuals, businesses and government agencies are factors that contribute cyber risks. Individuals, corporate customers and shareholders are looking to boards and government regulators to take proactive action to manage the risks to data security breaches and timely notification of such data security breaches. The title of this paper echoes the concerns of individuals, businesses and government agencies who have been victims of cyberattacks.

In this context, this paper examines Australia's approach for data protection, the data cybersecurity framework and strategies for data governance and its Australia’s data protection framework meet the international standards set under the European Union's General Data Protection Regulation (GDPR) for cybersecurity (European Union, Cybersecurity Strategy of the European Union, 2013). The paper undertakes a literature review and examines if Australian businesses need to rethink their data governance practices and cyber-security strategies to protect consumer data. This paper then maps the cyber threat environment in general and the challenges for regulators in providing a safe digital environment; examines if Australia's current cybersecurity framework and strategies for data governance meet the international standards set under the European Union's General Data Protection Regulation for cybersecurity; if regulators and businesses in Australia need to rethink its current cyber-security framework and strategies to mitigate the threats to cybersecurity and data governance in Australia. This paper then focuses on the adequacy of the current Australian business practices for data governance and cyber-security strategies. It concludes with some concluding thoughts and recommendations for incident response strategies for businesses to implement in order to mitigate and defend against cyber risks.

(3)

3

2. Literature Review

Despite its recognised high importance, data governance is still an under-researched area and less practised in industry (Rouse, 2017); Al-Ruithe et al, 2016). Research on data governance consists mostly of descriptive literature reviews. The analysis of literature for this paper is sourced from statutory provisions, case law decisions and scholarly journal articles emphasises the need to build a standardised strategy for data governance. Therefore, this paper takes a taxonomy approach to define the different attributes of data governance to make a valuable contribution to knowledge and decision makers to understand the significant factors that need to be considered when implementing a data governance laws and strategy in a particular jurisdiction. The taxonomy for terms and definition assist to elucidate clarify the concepts of data governance in the governance domains.

The following part examines the cyber threat environment and then the Australia's statutory framework, terms and definitions as provided under relevant Australian statutes, and the framework under industry regulation and practical strategies for data governance.

3. The Problem Statement

Cybersecurity breaches, cybercrimes and cyber-terrorism are consequences of the Internet being introduced with unbridled enthusiasm by governments without regard to the impact it will have on the legal system, corporations and their citizens. While digital connections enable innovation to power the economy through faster communications and connectivity, it also creates vulnerabilities that are a liability for businesses and organisations. The growth in global Internet usage and mobile usage, connectivity, the Internet of Things and uptake in emerging mobile technologies are factors that have contributed to cybercrimes and cybersecurity risks for businesses and governments.

World Bank statistics indicate that there are now approximately 3.75 billion Internet users (Internetlivestats.com, Online, 2020). According to World Bank Data, there is a global shift in the predominance of mobile phone ownership in the last decade (The World Bank, 2013);

(Bastawrous, et al, 2013). Mobile phone ownership has seen low-income countries reach near- ubiquitous levels. According to World Bank statistics, there are over 5 billion wireless subscribers in the world, and over 70 % reside. World Bank Data indicate that by 2015, over 85 % of the world population had a wireless signal cover and over 5 billion wireless subscribers. Out of that, 70 % of them were from low and middle-income countries ((The World Bank, 2013); (Bastawrous, et al, 2013). Statista, one of the leading statistics companies on the internet based in Germany, estimated that in 2016, 62. 9 % of the world's population already owned a mobile phone. The forecast for 2017 on the number of mobile phone users worldwide was around 4.77 billion in 2017, and by 2020, the mobile phone penetration will continue to grow to about 67 per cent, and the number of estimated mobile phone users in the world is expected to pass the five billion mark (Statista, 2020). The amount of information that is held by data collectors worldwide is staggering.

(4)

4

The continuous architecture of networks and systems pose threats to personal information held by businesses and government agencies in the networks and systems. Cloud and mobile technologies are notoriously riskier than on-premises technologies. As the Internet of Things (“IoT”) revolves around increased machine-to-machine communication and built on cloud computing and networks of data-gathering sensors. IoT is mobile, virtual, and instantaneous connection that is said to make everything in our lives from streetlights to seaports "smart. This smart framework has a set of risks associated with technologies that have high risk already and a combination of these exponentially increase the risk (Skroupa, 2017). This is because as more and more companies manufacture sensors and devices, they continue to skimp on security to make their goods and services competitively priced. The lack of adequate cybersecurity exacerbates the risk.

The threats may emerge directly from foreign states, state-owned organisations, or external partners or within the organisation or when there are network systems vulnerabilities. According to the Florida Center for Instructional Technology, a "network" is more extensive than the internet and includes a corporate intranet and even the various devices at your home connected by Wi-Fi.

A "computer" is understood to include not only a desktop or laptop computer but also a tablet or smart-phone (Florida Center for Instructional Technology, 2013). Cybersecurity breaches, cybercrimes and cyber terrorism are hot topics around the world as government networks and businesses are generally targeted by cyber adversaries. There has been an alarming increase in cybersecurity breaches worldwide from 2015 onwards until May 2017. For example, the Australian government websites and the Bureau of Meteorology were hacked by foreign spies from nation-states in a massive malware attack in October 2016 (Parry, 2013); (Green, 2016).

Forbes reported eight major cyberattacks in 2016 that includes the US Department of Justice;

Linkedin, Tumbler, & Myspace; the Democratic National Convention; Yahoo#1; World Anti- Doping Agency: DYN; AdultFriendFinder; and Yahoo#2 (Anderton, 2017). Sanrio Digital (HK) Limited announced that personal data that include children's data of up to 3.3 million members of the Sanrio Town website may have been the subject of a data breach in December 2016 (Bolton, 2015). The Hong Kong Privacy Commissioner investigated Sanrio Town. Most recently, in May 2017, the worldwide cyberattack hit computers across Europe, Asia and Russia. This incident paralysed hospital databanks and emergency services in the United Kingdom (Sulleyman, 2017).

The ransomware attack on the 28 June 2017, hit computers across the globe impacted Russia's biggest oil company, disrupted operations in Ukrainian banks and shut down computers at multinational shipping and advertising firms (Stubbs, & Polityuk, 2017). Australia has also admitted that government hack attacks had occurred in Australia and as such the government has boosted it cybersecurity strategies. Prime Minister Malcolm Turnbull acknowledged an attack on the country's weather bureau but stopped short of blaming it on China. As a consequence, Australia unveiled a multi-million-dollar cyber scheme to combat hacking. (PHYS.Org, 2016).

(5)

5

A cybersecurity breach can occur when hackers infiltrate computers and computer program and access data illegally or who can create shortcuts to computers and computer programs. Hackers can be individuals or an organised crime group such as that is globally connected (BBC News, 2014); Thomson, 2015). Hackers have social causes and agenda that may include: exposing government policies, or corrupt governments; to punish transnational and multinational corporations such as banks or oil companies for unconscionable and unethical conduct. For example, WikiLeaks founder, Julian Assange aka 'Mendax' who has been accredited to multiple attacks on international online networks, databases and companies that include NASA, the Pentagon, the US Navy and countless other institutions (BBC News, 2014). Hackers and cybercriminals take advantage of the Internet's ubiquitous nature and their ability to operate anonymously, the lack of monitoring and the lack of sanctions for perpetrators of cybercrime and cyber-terrorism. For example, hackers and cybercriminals in countries such as Nigeria where there are inadequate cybersecurity frameworks, monitoring and sanctions for hacking and cybercrimes have defrauded millions of Internet users (AFP & Robinson, J., 2016). Hackers often attack networks and systems of businesses and government agencies (BBC News. (2014).

Hackers who use network credentials stolen from a company's vendor to impersonate email users.

Sophisticated phishing scammers target email users. A Google Docs request may be sent to fool the user into granting access to a malicious third-party application take advantage of network connectivity and exploit vulnerabilities in legal systems. Hacking can cause substantial commercial losses to individuals and businesses. Australian hackers have been accessing money, personal information, and private government databases through underhanded methods across the internet for decades (Thomson, (2015). Hacking can lead to fraudulent transactions or destroy valuable information and may even bring a business or organisation to a standstill (Skroupa, 2017).

Hackers can steal commercial information, gain access to confidential data or cause damage to the computer infrastructure. Some cyber hackers are 'man-in-the-middle' hackers. These types of hackers are usually disgruntled employees who hack into the business’s computer network. A man in the middle attack occurs when an employee who is negligent and careless such as when a human resource employee's laptop containing personal data of present employees is stolen or misplaced.

For example, the hacker called the 'Reality Winner', a 25-year-old NSA contractor, was FBI arrested for leaking to the press classified documents about Russian meddling in the last US elections (Reuters, 2017).

Cyber dependent crimes are those where a digital system is the target and means of attack, and cybercriminals use of the Internet to facilitate online hacking, phishing, and denial of service attacks. Crimes that fall in this category involve computers or other information and communications technologies that are an integral part of an offence (such as online fraud), and crimes directed at computers or other technologies (such as hacking). Cyber-enabled crimes are existing traditional crimes that have been transformed in scale or form by their use of the Internet.

Cybercrimes that fall in this category include identity theft, online drug dealings, money laundering through payment systems and e-cash, online child grooming, child pornography websites, online fraud, and cyberstalking. The Official 2019 Annual Cybercrime Report produced by Cybersecurity Ventures reported on the impact of cybercrimes on society. According to the

(6)

6

report, cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 (Morgan, S., Cybercrime Magazine, 2016).

Developing laws and regulation for data governance can be a very complex and needs to be accomplished in stages since data complexity and volume continue to explode. In addition, businesses have also grown more sophisticated in their use of data. Data is driving new demands for data to be used in diverse ways. For example, data may be combined, manipulated, stored, and information is then presented to suit the businesses’ specific needs. Businesses globally recognise that data management solutions alone are becoming very expensive and they are unable to cope with business realities. Thus, data problem must be solved in a different way (Niemi, 2011). The notion of data governance started to take a different direction as attempts to govern data have generally failed in most jurisdictions. This is due to data governance is driven by IT and the way technology and technological devices are used. The use of innovative technology and technological devices impact on rigid processes and fragmented activities that are carried out on a system-by-system basis. Data governance has been mostly informal and guided by industry regulation due to the need to the law being technologically neutral. Seiner (Seiner, 2014), argues that business organisations need to design a data governance model of role responsibilities to identify people who have a level of accountability to define, produce, and use data in the organisation. Other authors in scholarly literature argue that business organisations should be accountable for the data that they collect from the information technology (IT) sector. They argue that IT staff, business management, and senior-level executive sponsorship in the organisation should be accountable if data is breached (Russom, 2008). Experts in this field show that where organisations do not implement data governance and the problem obvious from indicators that are glaring from the many instances of data breaches and must use of personal data by business organisations and social media networks. The general feeling is that the collection and use of personal data are out of control (Kamioka et al. 2016). To curtail the problem unlawful data collection, and the misuse of personal data, appropriate and effective data governance is necessary.

Creating a sustainable and effective data governance framework coupled with practical strategies for businesses to follow may be the way to go (Poor, 2011); (Wende, 2007). The sections following examine the regulatory framework in Australia and cyber security practices and strategies.

4. Australia’s Cyber Security Regulatory Framework and Strategies 4.1 Statutory Regulation

4.1.1 Privacy Act 1988 (Cth)

The primary data protection legislation in Australia is the federal Privacy Act 1988 (Cth) (Privacy Act). The Privacy Act is an Australian law which regulates the handling of personal information about individuals. The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information). Section 6 Privacy Act defines

‘personal information’ as 'information or an opinion about an identified individual, or an individual who is reasonably identifiable' and ‘consent’ to the collection, use and disclosure to mean ‘express or implied’ consent.

(7)

7

4.1.2 Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act)

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) introduced significant reforms to the Privacy Act 1988 to strengthen privacy protection. These changes commenced on 12 March 2014. The reforms under the Privacy Amendment Act create a single set of thirteen Australian Privacy Principles (APPs) that apply to both Australian Government agencies and the private sector. The APPs replaces the Information Privacy Principles (IPPs) and National Privacy Principles (NPPS) and sets out the standards, rights and obligations for collecting, handling, holding, accessing, using, disclosing and correcting personal information.

The Privacy Amendment Act introduces more comprehensive credit reporting for consumer credit, improved privacy protections in a logical, consistent and straightforward language. It strengthens the functions and powers of the Australian Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance; and create new provisions on privacy codes and the credit reporting code, including codes that are binding on specified agencies and organisations.

4.1.3 Privacy Amendment (Notifiable Data Breaches) Act 2016

Privacy Amendment (Notifiable Data Breaches) Act 2016 establishes a mandatory data breach notification scheme in Australia. The Act requires government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. The Australian Information Commissioner's Office (AOIC) will be advised of these breaches as an when a data breach occurs by data collector that includes the APP entities within 72 hours of its discovery. The Privacy Amendment (Notifiable Data Breaches) Act empowers the Australian Information Commissioner to determine if further action is required. The Act also gives the Australian Information Commissioner the ability to direct an agency or business to notify individuals about a serious data breach within 72 hours from the time discovery of the breach.

4.1.4 Treasury Laws Amendment (Consumer Data Right) Act 2019 ('CDR Act')

Open data and open banking hold tremendous potential for societal development and economic growth. The Australian Federal Government has recently enacted the Treasury Laws Amendment (Consumer Data Right) Act 2019 (“CDR Act”) (Australian Parliament, Consumer Data Right Act 2019). The CDR Act amends the Competition and Consumer Act 2010 (“CC Act”), the Privacy Act 1988 ('Privacy Act'), and the Australian Information Commissioner Act 2010 ('AIC Act'). The Act provides the Australian Consumer and Competition Commissioner (“ACCC”) enforce the consumer data rules and the Office of the Australian Information Commissioner (“OAIC”) regulate the CDR. The CDR Act proposes to deal with privacy and data protection through the following mechanisms: consumer data rules that permits the ACCC to make ‘consumer data rules’

on a range of elements of the CDR system that relate to disclosure, use, accuracy, storage, security and deletion of CDR. The CDR Act will initially apply to the banking sector and it will be later expanded on to the energy and telecommunications sectors. The Act mandates obligations on the sharing of customer data with third parties. The CDR aims to regulate the way consumer data is

(8)

8

used and introduces a 'consumer data right' applicable to open data. However, open data may include personal and sensitive data, and there is a cost to banks giving access to personal data and sensitive data that may be broadly used, shared and built-on by anyone, anywhere and for any purpose.

Open banking in Australia and else ware face growing governance and regulatory risks as they seek to protect personal data and sensitive data. The problem is that if organisations reward consumers for information, it is more likely that they will ensure that that information is not available to outsiders that easily as they have paid for this information, further these organisations are also bound by privacy legislation and regulation.

4.2 Industry Self-regulation

Generally, industry regulation is characterised by industry formulated rules and codes of practice that may be in the form of voluntary or mandatory codes of practice. The provision for codes in relation to an important segment of e-commerce market that is the telecommunications industry.

The Australian Information Commissioner (“AIC”) has the power under the Privacy Act to approve industry privacy codes of practice. Besides the AIC, other regulators such as the Australian Competition and Consumer Commission (ACCC) Commissioner and the Australian Investment and Securities Commission (ASIC) Commissioner have the power to approve industry codes of practice related to privacy under federal legislation. The Australian Communications and Media Authority (ACMA) directs participants in the telecommunications industry and the e- marketing industry to comply with mandatory industry codes of practice (Section 5 of the Telecommunications Act 1997 (Cth)). This means that not all segments of the industry are covered under codes of practices.

4.3 Practical Strategies for Data Protection

The Productivity Commission in Australia reflected on the fact that consumer knowledge of contracts and privacy risks is inadequate, and that consumer must be made aware of the contractual obligations imposed by the law on businesses and awareness of privacy risk so that consumers may take measures to minimise the risks to their personal data. The Productivity Commission suggested that a consumer-centric approach be adopted. Some recommendations towards a consumer centric approach would be to:

• establish a mandatory data breach notification scheme and a right to redress for the misuse of personal information;

• establish a requirement for express consent versus explicitly informed consent;

• enhance consumer knowledge and understanding of standard contracts;

• The transparency of security measures and de-identification standards and processes

• The accessibility and affordability of data shared under the proposed scheme

• Comprehensive credit reporting in the telecommunications industry.

(9)

9

Australian Communications Consumer Action Network (ACCAN) is broadly supportive of the Australian Productivity Commission’s report on Data Availability and Use (Australian Communications Consumer Action Network (ACCAN), 2016). The Productivity Commission proposed ways in which consumers may be empowered to have more control over data about them.

The following are some of the recommendations from the Productivity Commission aimed at empowering consumers. These are:

1. Data breach notification should be mandatory before proposals to increase the availability of personal information are developed;

2. Consumers should have a statutory right to redress and compensation when data is misused or released without explicit informed consent;

3. Organisations are required to work with consumers to help them understand what their personal information is being used for and what the benefits are to them;

4. There is an in-depth investigation into consumer knowledge and understanding of data collection and privacy issues and a commitment to increase this understanding to enable genuinely informed consent.

5. International Data Governance Framework and Cyber Security Strategies 5.1 European Union (EU) Directives and Regulation

The European Commission provides regulation for privacy protection and strategies for European Union Member States. It sets the international standards for information governance and data security. The following Directives and regulation provide privacy protection and information governance.

5.2 Directive on Network and Information Security in force from August 2016.

The Members States will have 21 months to implement the Directive into national law. The Directive requires market operators and public administration to report incidents that have a significant impact on the security of the core services provided by them. The competent national authority could, in turn, order these controllers to notify the relevant individuals. Notification requirements apply to public administrations, key internet companies (i.e. large cloud providers, social networks, e-commerce platforms, search engines, the banking, health, energy and transport sectors).

5.3 General Data Protection Regulation (GDPR)

The European Commission and European Parliament deemed EC Directive 95/46/EC outdated to meet modern privacy needs and concerns. The General Data Protection Regulation (GDPR) replaces local data protection laws (European Union, General Data Protection Regulation, 2018).

The GDPR promises data protection rules that will remove red tape for businesses but also tighten privacy protections for online users. The GDPR forces organisations to take ownership of their information practices, be accountable for all associated privacy risks in the course of doing business and prove the veracity of data protection programs. EU member states are committed to the GDPR. The GDPR impacts global business entities that trade with EU member states and non- compliance with the GDPR requirements will impact the transfer of personal data to businesses in

(10)

10

non-compliant countries and as such the GDPR has a significant influence on electronic commerce and mobile commerce activities worldwide. There are guidelines and strategies in place in most countries, including Australia, to protect the privacy of data subjects and prevent data security breaches. There are two perspectives to privacy and data protection. The European Union (EU) stresses fundamental rights, while the United States (US) stresses consumer protection. Australia stresses on consumer protection rather than fundamental rights.

5.4 Practical Strategies for Data Protection

National data protection and cybersecurity legislation and frameworks are adapting their national frameworks to be GDPR compliant or as close to possible in order to meet the requirements and standard set under the GDPR. The convention is a leading, binding instrument directed at cybercrime to which several countries including many European countries, the U.S., Japan.

Australia has access to the Council of Europe Convention on Cybercrime. The convention came into force for Australia on 1 March 2013.

There are increasing challenges for regulators in applying new approaches to the Internet to prevent cybersecurity breaches, cybercrimes and cyber-terrorism. EU's strategy refers to "the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure (European Union, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, 2013). The Council of Europe Convention on Cybercrime Council of Europe Convention on Cybercrime, ETS 185 – Convention on Cybercrime is the leading, binding instrument directed at cybercrime to which several countries are parties including many European countries, the U.S., Japan and Australia.

European Commission plans to increase its role in directing cybersecurity policy and responses across its Member States and has suggested that a common defence and security arrangements. A common defence and security arrangement would allow the EU to coordinate responses to cyberattack and facilitate greater information sharing, technological cooperation and joint doctrines on cyber threats. A proposal by the European Union for further harmonization of regulation coupled with strategies focused on minimizing risks to privacy and security of data are in the process. The European Union regulators are looking at the response of some internet users in respect to spam mail or trade of information for a reward; the relation between control and trust; examining to what extent the perception of environmental risks affect relationships with companies and willingness to disclose; conducting interviews with experienced Internet and e-mail users. The next part examines if the current framework for privacy protection and data protection and the strategies implemented by Australian regulators are adequate and competent to prevent cybersecurity breaches.

(11)

11

6. Adequacy and Effectiveness of Australian Governance, regulation and Cyber Security Strategies

Data is an intangible asset and misunderstanding its value of data that a business possesses may be a missed opportunity for businesses. But as the IoT explodes, security risk will explode with it, leaving a trail of data breaches with high price tags. The issue with this is that the cost of security by obscurity may finally reach the boiling point and you and I will be left holding the bag.

The first step to effective data governance is to know the types of personal data an organisation holds about its customers. They should consider their data collection strategies to avoid collecting unnecessary data in the first place. Organisations should consider which personal data it requires.

They should, for example, avoid engaging in data mining, data matching, and online behavioural tracking and avoid the over-retention of personal data. Corporate data should be valued and protected, and businesses must handle personal information of consumers with care. From the consumer viewpoint, trust and transparency in the way businesses handle their personal information with care is essential in their decision making. Cybersecurity breaches can impact consumer decisions regarding where to shop, what to download, and what personal information consumers hand over.

The Australian Signals Directorate (ASD) published a report on strategies to mitigate cyberattacks and listed four strategies for the overall security of an organisation. These four strategies include:

• Whitelisting Applications - Whitelisting applications allows only expressly authorised applications to run on a system to protect computers and networks from running on a system, to protect computers and networks from malicious or unapproved applications.

• Patching operating system vulnerabilities - a patch is a piece of software designed to update, add a new feature, fix a bug or add documentation to a computer program or its supporting data. Operating systems should be patched typically within two days of a vulnerability being made public. Patch applications should be patched within a 2-day timeframe for serious vulnerabilities.

Patch applications include specific applications such as Java, Flash and Microsoft Office.

• Restrict administrative privileges - as a practical strategy is an option for administrators.

Administrators are often the target due to the high level of access to an organisation's ICT system, so minimising administrative privileges will make it more difficult for hackers to spread or hide their existence with IT administrator privileges. IT administrator privileges without internet access is another strategy that can contribute to greater data security (Australian Government, CERT Australia, Cyber Crimes & Security Report, 2013); (Williams, T. & Yap, J., 2015).

• Practical Strategies for Preventing Cybercrimes and key priorities undertaken by the Australian Government include:

1. educating the public to protect themselves;

2. partnering with industry to tackle the shared problem of cybercrime;

(12)

12

3. fostering an intelligence-led approach and better information sharing (Australian Government, Australian Signals Directorate, 2020);

4. improving the capacity and capability of Australian government agencies to address cybercrime;

5. strengthening international engagement on cybercrime; and

6. ensuring that the criminal justice framework in Australia keeps pace with technological changes (Australian Government, Attorney-General's Department, Cybercrime, 2009).

Businesses have a responsibility to keep consumer information safe, and a business owner must protect personal and sensitive information from misuse, interference, loss and from unauthorised access, modification or disclosure once consumer information is collected and stored in their databases. Businesses are also required to take reasonable steps to destroy personal information when no longer needed or to anonymise personal information. Maintaining a detailed document which records your data collection and processing activities (i.e. Personal Data Inventory) is the practical step to data governance and data security. Non-compliance with data governance practices and guidelines by government agencies, businesses and individuals may have huge financial consequences for these entities. For example, the Information Commission's Office (IOC) in the United Kingdom issued a record-breaking fine against Talk Talk Telecom Group PLC for poor website security which led to the theft of personal information of nearly 157, 000 of its customers under s 55A of the Data Protection Act 1998 (DPA). (Information Commission's Office (IOC) UK, 2016). The DPA 2018 came into effect on 25 May 2018 and it updates and replaces the Data Protection Act 1998. The penalty provisions under the DPA 2018 are provided under sections 155 – 159. Section 155 (6) of the DPA 2018 confer power on the Commissioner to give a penalty notice in respect of other failures to comply with the data protection legislation, and provide for the maximum penalty that may be imposed in relation to such failures to be either the standard maximum amount or the higher maximum amount.

Thus, to avoid a breach of the law, a starting point will be to consider if businesses know precisely the types of personal information an organisation holds about their customers? Are the organisation's privacy policy statements on the types of information held by an organisation or government agency should be transparent? Do customers know how that personal data is being used, stored and transferred; who is responsible for the different types of data that include marketing, IT and HR in the organisation? The fewer personal data is collected, the less the risks are for data security breaches. Considering the recent cyberattacks, organisations should consider reducing the type and extent of personal data they hold so that the organisation retains only essential data. Know who is responsible for the different types of data in the organisation that include marketing, IT and HR.

(13)

13

Businesses should conduct an audit of your organisation's current data collection, storage and transfer practices early and maintain a clear record of the types and extent of personal data kept by your organisation along with other essential details (key contacts), who is responsible for maintaining the data and who has access to it. An up to date inventory of all data held is crucial in the event of a breach. Most often when a data breach occurs, the affected data subjects must be notified. Assessing the severity of the breach and the risks to data subjects requires knowledge of the types and extent of personal data accessed during the breach. A prepared and detailed data inventory classifying the data that an organisation holds, the location where the data is stored, who maintains the data and who has access to it will be an essential pre-requisite for such assessment;

provide prospective techno-economic impact analyses; monitor technological development and assess their future policy implications. Thus, data governance and data security should be on the agenda of every business's agenda.

The business should create a culture of cybersecurity; retaining personal information only if reasonably required. Protect critical information and backup critical data. It is keeping software patches up-to-date - developing technological programs and software that provide for privacy by design and data security by design. Timely corporate disclosure of data breach creates consumer trust and confidence; implementing the best incident response strategies protecting the organisation compliance with regulation is an advantage. Risk-based policies and procedures for information governance such as adoption of detailed retention and destruction schedules, identify key cyber risk issues, set up preventative measures and ensure ability to deal with a data breach quickly and comprehensively; Businesses need to assess the real business impact of cyber incidents and coordinate responses procedures from both a business and IT perspective. Backing up data either on-site or off-site so data is not contaminated, creating employee awareness and conducting cybersecurity training for employees as an investment. Early and timely detection of cyber threats and risks is crucial in cybersecurity and defence. They are taking out cyber insurance which is one of the fastest-growing segments in the insurance industry to protect the company against risks and spreading the losses. Insurance companies conduct cybersecurity breach risk assessments, and premiums will depend on the risk preventive measures in place in the business organisation.

Cyber insurance is one of the fastest-growing segments of the insurance industry, and insurers are pricing policies based on the actual risk of the insured. Measuring cyber risk requires an understanding of how a cyberattack impacts businesses' assets. Businesses need to prioritise its assets and to consider if a data security system will make money or could cost the business money in fines if a data breach occurs. A cost-effective data security system that a business uses is much better than a system with minimal business impact.

(14)

14

Consumers also need to take some responsibility in not disclosing too much information when engaging in the online environment. Consumers should consider if the information they are providing is necessary for the transaction, what they download and read the privacy policies of those businesses they are interacting with; Protect critical information and backup critical data;

and use unique passwords and anti-harmful software.

7. Conclusion and Recommendations

Government agencies, businesses and individuals need to take proactive steps and develop measures to protect themselves from the threats and risks of cybersecurity breaches and crimes.

Proactive steps taken by the government include a review current framework and strategies and engaging with media campaigns to create awareness of the risks and consequences of cybersecurity breaches, cybercrimes and cyber terrorism amongst business organisations and the general public.

In Australia, the current regulatory framework is being reviewed consistently and assessed to evaluate its adequacy and effectiveness in providing the required legal and technological framework to prevent cybercrime, data security breaches and cyber-terrorism.

Data is tangible and keeping data safe is not only the responsibility of the government and businesses but that of consumers as well. Personal data must be necessary and not excessive. Under the GDPR, organisations should only hold data for lawful purposes and directly related to the function and activity of the data user. Businesses and government agencies should delete or anonymise any data that is no longer required and moving forward avoid the collection of unnecessary data in the first place.

Consumers should take some responsibility in not disclosing too much personal information when engaging in the online environment that includes social media and online businesses. Consumers should consider if the personal information they are providing is necessary for the transaction, what they download, and read the privacy policies of those businesses they are interacting online.

Protecting citizens and businesses against cybersecurity breaches and cybercrimes and for the continued growth of e-commerce businesses is a challenge. Regulation always lags technology and IoT will be no different. It is recommended that the harmonization of regulation coupled with strategies focused on minimizing risks to privacy and security of data. For example, mandatory breach notification reporting, monitoring compliance, and imposing an appropriate penalty for data security breaches will ensure some level of data security.

Other recommendations to regulators include: investigating deterrent measures for non- compliance with best practice de-identification guidelines; the development of standards around data formats and definitions will require broad consultation with diverse community sectors; the development of information campaigns and resources will require broad consultation with diverse community sectors and privacy professionals; charges cannot be levied by data holders on consumers who exercise the comprehensive right to data access; and the establishment of a comprehensive credit reporting scheme remains voluntary (Australian Communications Consumer Action Network (ACCAN), 2016); Clarke, 2016).

(15)

15

References

AFP & Robinson, J. (2016). Nigerian 'behind £45million cyber hacker' is arrested over one of the world's biggest malware scams. Mailonline, Daily Mail, (Online, 1 August 2016). Retrieved from http://www.dailymail.co.uk/news/article-3717830/Nigerian-60-mn-online-fraud- network-arrested-Interpol.html.

Al-Ruithe, M.; Benkhelifa, E.; Hameed, K. (2016). Key dimensions for cloud datagovernance. In Proceedings of the FiCloud 2016. The IEEE 4th International Conference on Future Internet of Things and Cloud, Vienna, Austria, pp. 379–386.

Anderton, A. (2017). 8 Major Cyber Attacks of 2016. [Infographic]. Forbes, Science/#CyberSecurity (Online, 29 March 2017). Retrieved from https://www.forbes.com/sites/kevinanderton/2017/03/29/8-major-cyber-attacks-of-2016- infographic/#39b7023148e3.

Australian Communications Consumer Action Network (ACCAN), (2016). Data Availability and Use – Draft Report, Submission by the Australian Communications Consumer Action Network to the Productivity Commission. Retrieved from https://www.pc.gov.au/__data/assets/pdf_file/0018/211437/subdr306-data-access.pdf.

Australian Government, Attorney-General's Department, Submission to the House of Representatives Standing Committee on Communications Inquiry into Cyber Crimes,2009).

Retrieved from https://www.aph.gov.au.

Australian Government, CERT Australia, Cyber Crimes & Security Report 2013.

Retrieved from http://www.cert.gov.au.

Australian Parliament, Consumer Data Right Act 2019. Retrieved fromhttps://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1819a/19bd06 8. The Consumer Data Right Act 2019 (“CDR Act”) passed in both the Upper and Lower House of the Australian Parliament in August 2019.

Australian Government, Office of the Australian Information Commissioner. ‘What isPersonal information?’. (2017). Retrieved from https://www.oaic.gov.au/privacy/guidance-and- advice/what-is-personal-information/.

Australian Government, Australian Signals Directorate, Australian Cyber SecurityCentre, (Accessed 10 January 2020). See Australian Cybercrime Online Reporting Network (ACRON) Website. Retrieved from https://www.cyber.gov.au/report. The Australian Cybercrime Online Reporting (the ACRON) is a national policing initiative of the Commonwealth, state and territory governments.

Bastawrous, A., Hennig, B. and Livingstone, I. (2013). 'mHealth Possibilities in a Changing World. Distribution of Global Cell Phone Subscriptions, Journal of Mobile Technology in Medicine 2 (1): 22-25).

BBC News. (2014). 'Edward Snowden: Leaks that exposed US spy program.

(Online, 17 January 2014). Retrieved from http://www.bbc.com/news/world-us-canada- 23123964.

Bolton, D. (2015). Sanrio Town Security Breach Puts Hello Kitty Fans' Private Information at Risk from Hackers'. The Independent, (Online, 21 December 2015) Retrieved from http://www.independent.co.uk/life-style/gadgets-and-tech/news/sanriotown-hello-kitty-hack- a6781406.html.

(16)

16

Clarke, R. (2016). Submission to the Productivity Commissioner its Inquiry into 'Data Availability and Use'. Xamax Consultancy Pty Ltd. Retrieved from www.rogerclarke.com.

European Union. (2013). Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace JOIN (2013) (1 final, Brussels, 7 February 2013). Retrieved from https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity-plan-protect-open- internet-and-online-freedom-and-opportunity-cyber-security.

European Union. (2018). General Data Protection Regulation (GDPR) 2018, Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version of the OJ L 119, 04.05.2016; cor. OJ L 127, 23.5.2018; The General Data Protection Regulation (GDPR) came into effect on the 25 May 2018.

European Union. (2013). The Council of Europe Convention on Cybercrime Council of Europe Convention on Cybercrime - ETS 185 – Convention on Cybercrime, 23.XI.2001. Retrieved from http://www.europarl.europa.eu/meetdocs/2014_2019/documents/ libe /dv/7_conv_budapest_/7_conv_budapest_en.pdf.

Florida Center for Instructional Technology, College of Education, University of

South Florida (2013). A "network" is more extensive than the internet and includes a corporate intranet and even the various devices at your home connected by Wi-Fi. A "computer" should nowadays be understood to include not only a desktop or laptop computer but also a tablet or smart-phone. Retrieved from https://fcit.usf.edu/network/chap1/chap1.htm.

Green, A., (2016). Bureau of Meteorology was hacked by foreign spies in a massivemalware attack, report shows' updated 12 October 2016, ABC News (Online). Retrieved from http://www.abc.net.au/news/2016-10-12/bureau-of-meteorology-bom-cyber-hacked-by- foreign-spies/7923770.

Internet Live Stats, (2020). Number of Internet Users. Retrieved from http://www.internetlivestats.com/internet-users/.

Kamioka, T.; Luo, X.; Tapanainen, T., (2016). An Empirical Investigation of Data Governance:

The Role of Accountabilities. In Proceedings of the 20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan.

Morgan, S., (2016). Cybercrime Magazine. (Accessed 25 November 2019).

Morgan, (2019), Cybercrime Magazine, ‘Cybercrime Damages $6 Trillion by 2021’.

Cybercrime Magazine (2019). (Accessed 10 January 2020). Retrieved from https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/.

Niemi, E. (2011). Designing a Data Governance Framework. In Proceedings of the IRIS Conference, Oslo, Norway, Volume 14.

Parry, M. (2013). China steals new Australia spy blueprint, report says, PHYS.Org (Online, 28 May 2013). Retrieved fromhttps://phys.org/news/2013-05-china-australia-spy-agency- blueprints.html#nRlv.

PHYS.Org., (2016). Australia admits government hack attacks, boosts cybersecurity’. Retrieved from https://phys.org/news/2016-04-australia-hack-boosts-cyber.html.

Poor, M. (2011). Applying Aspects of Data Governance from the Private Sector to Public Higher Education. University of Pregon: Eugene, OR, USA, Volume 1277, p. 125.

Reuters, (2017). Reality Winner: US intelligence contractor charged with leaking material on US election, ABC News, (online, 7 June 2017) Retrieved from http://www.abc.net.au/news/2017- 06-07/us-intelligence-contractor-charged-with-leaking-nsa-document/8596650..

(17)

17

Rouse, M. (2017). Data governance definition. Retrieved from http://www.whatis.techtarget.com.

Russom, P. (2008). Data Governance Strategies: Helping Your Organization Comply, Transform, and Integrate. The Data Warehousing Institute, Los Angeles, CA, USA.

Seiner, R.S. (2014). Non-Invasive Data Governance, 1st ed. Technics Publications: New York, NY, USA.

Skroupa, C. P. (2017). The cost of a cyber breach – How much your company should budget’.

(Online, 19 April 2017). Retrieved from https://skytopstrategies.com/the-cost-of-cyber- breach-how-much-your-company-should-budget/.

Statista, (2020) Number of mobile phone users worldwide from 2015 to 2020. Retrieved from https://www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide/.

Stubbs, J. & Polityuk, P. (2017). itnews 'Massive ransomware outbreak hits servers worldwide, it’s like WannaCry all over again', (Online, 28 June 2017). Retrieved from https://www.itnews.com.au/news/massive-ransomware-outbreak-hits-servers-worldwide- 466691?eid=1&edate=20170628&utm_source=20170628_AM&utm_medium=newsletter&

utm_campaign=daily_newsletter.

Sulleyman, A. (2017). NHS cyberattack result of 'one big mistake. The Independent, Online, 12 May 2017). Retrieved from http://www.independent.co.uk/life-style/gadgets-and- tech/news/nhs-cyber-attack-hospitals-hack-big-mistake-latest-news-a7733361.html.

The Information Commission's Office (IOC) UK, Supervisory Powers of the Information Commissioner, Monetary Penalty Notice under s 55A Data Protection Act 1988 (DPA).

Retrieved from https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda- europe-20170320.pdf.

The World Bank. (2013). Mobile cellular subscriptions (per 100 people)’, International Telecommunication Union, World Telecommunication ICT Development Report ad Database. Retrieved from http://data.worldbank.org/indicator/IT.CEL.SETS.

Thomson, K. (2015). 'Twelve of Australia's most notorious hackers'. The Sydney Morning Herald (Online, 24 November 2015) Retrieved from http://www.smh.com.au/digital-life/consumer- security/twelve-of-australias-most-notorious-hackers-20151123-gl68od.html.

Wende, K. A. (2007). Model for Data Governance—Organising Accountabilities for Data Quality Management. In Proceedings of the 18th Australasian Conference on Information Systems;

University of Southern Queensland: Toowoomba, Australia, pp. 417–425.

Williams, T. & Yap, J., (2015). Holman Webb lawyers, Internet Law Bulletin, September 2015, pp. 123 – 127.