The Optus and Medibank cyber attacks in recent months has put a spotlight on the issue of hacking, identity theft, fraud and general data protection in Australia.  With the AFP working hard to bring those responsible to justice, it’s now time for the Government to step up and not just talk, but act, to make Australia stronger and more resilient in the wake of these attacks.

It sounds like just words for words sake, but I believe the Government has a mandate from Australians right now to step up and step in to help prevent the widespread issues that might come from these attacks in the future, but also to help protect them.

Now I don’t fully understand legislation and how it all has to work, but I don’t think for a second this needs a year long enquiry to see what needs to happen, and happen fast.

My plan – Let’s call it “Securing Australia’s Data” covers six key areas (already sounds like a policy doesn’t it?).  They are:

  1. Protecting the Identity of Australians
  2. Protecting the Credit and Finances of Australians
  3. Storage of Data
  4. Retention of Data
  5. Data Security Penalties
  6. Cyber Education

Let me cover those off one by one.  Stick with me.  I think you might agree with some, not others, and I’d welcome your comments on Facebook and Twitter where they are constructive.

Protecting the Identity of Australians

One of the key things we’ve all learned is that our Identity is precious, and while Governments have done a lot to make it harder to steal them using just document numbers and other Identifying information, it’s still a huge risk if our ID document numbers or associated information is stored by companies we deal with.

To counter this, the Government should expand MyGovID system to be stronger and open to use by third parties outside of Government.  This open access would not allow any data to be pushed out by MyGovID, instead the system would operate on a TOKEN basis, in a similar way that our tap and go smartphone payment systems work. (When you tap your phone to make a payment, your phone doesn’t “Transmit” your credit card info, it just sends a token unique to that transaction).

This concept means that your Licence number, passport number, no personal info would ever need to be shared with a Telco, Insurer or other company – just use MyGovID to authenticate.

Protecting the Credit and Finances of Australians

The biggest risk to Australians over the last month has been the possible fraud that would come from Identity theft.  Now leaving aside the above as a brilliant preventative measure, Aussies are still human, and may hand over their IDs in other forms of scams or phishing.

What we saw with the Optus Hack was a concern that your identity would be taken and Credit or Loans would be applied for on your behalf.

The Government should create an “on/off” switch for our personal credit.  Off By default, this “switch” would mean that no credit could be applied to under your name.  If you were planning to apply for credit, you would turn it back on.

Banks, credit card companies, Buy-Now-Pay-Later companies and all lines of credit applications would need to incorporate this digital check into their application process.  Of course, they would all wisely advise any applicant to turn the switch “on” to ensure you aren’t rejected and draw out the process.

And the switching “on” could be a time-limited thing.

This one simple move would completely wipe out the false credit scam market and be a game-changer for Australians.

Storage of Data

Legislation should require the move to the digital ID system for companies over a threshold of customer numbers and or revenue.   Moving to that system would be incentivised by the lowering of data security levies (I’ll explain this later).

In addition, recommendations around the encryption of data, along with minimising the storage of all user data in a single table (which makes ease of access much easier), and enforcing Multi-factor authentication for daily and remote use.

Frankly, this is a tough area to legislate, so it will likely be used more as an incentive to meet these goals as part of the overall strategy.

Retention of Data

Companies should not be allowed to store ANY data of former customers.  The only exception here would be other legislation such as the Telco act which for law-enforcement reasons requires telcos to keep logs and metadata for a couple of years.  But once those are passed, ALL data is erased.

Customers should receive a notification of deleted data at the time of leaving the business.

A clear expectation should be set around which data is stored, and an easy to read public statement on this accessible on websites so customers know what data is kept.  Penalties would be introduced for the storage of former customer data.

Data Security Penalties

Companies are money driven.  If the cost of the fine is far lower than the cost of implementing strict security protocols, they will opt for the risk and the potential fine.

For this reason, the Government should without delay implement extreme penalties for data breaches.

These penalties should number in the tens of millions of dollars.  Companies like Medibank or Optus should be facing a $100,000,000 fine here – that would make them re-think their security choices.

Additionally, to protect Australians, there should be vastly higher penalties for the publication of breached user data, and likewise for anyone convicted of engaging in scams, blackmail or ransom activities.

Regular spot checks and investigations should be possible under this legislation, meaning a company can come in and be checked for compliance against these regulations and liable for penalties even when there has been no breach.

A Data Security Regulator should be tasked with keeping Aussie companies honest, and secure.

Cyber Education

Australians need to see far more education on Cyber Security.  “What is a scam” – “how to spot a scam” – “blackmail and ransom” all front and centre, year round.  

Case studies and examples of how a little can lead to a lot, and how a DigitalID is a more secure future.

How do we fund all this?

The “Australian Data Security Regulator” (ADSR) would be in charge of all things data security – of course.  From the compliance, to education and fines.  ScamWatch – currently run by the ACCC should move into this regulator as it deserves its own home.

All companies with revenue over $10,000,000 (for example) should be subject to a “Securing Australia’s Data” Levy, which would find all these activities.  Incentives, or discounts on that levy would be available for high levels of compliance.

The bottom line is, there are things that can be done.  And they don’t need to take years.

These are just ideas, though starters and concepts – what we need now is leadership and discussion, but not too much chit-chat.  Let’s get this done.

Below are my dot points which outline the above concepts at a glance.

A Proposal for the AUSTRALIAN FEDERAL GOVERNMENT 

Securing Australia’s Data

Protecting the Identity of Australians

  • Expanding MyGovID or breaking it out as MyID
  • Create a new central “verification” system (myID), in which no licence/passport or other ID data is stored, but a “token” is exchanged confirming an ID is verified
  • Operated Independent of Government but subject to government and bank level security protocols – funded by a Corporate Levy – the “Securing Australia’s Data” levy which is paid by companies with revenue over $10,000,000

Protecting the Credit and Finances of Australians

  • Create a new system as part of the credit application process for all credit including BNPL, credit cards, personal, car and home loans.
  • All financial institutions to verify identity via new token system
  • All identities linked to MyGov accounts where a “Credit” switch is available to all users.
  • Switch is OFF by default
  • Users applying for a new loan, or credit use “MyGov” or MyGovID to log in and “turn on” their credit, with the switch active for 14 days unless extended by the user within that period.
  • Operated by a regulator outside of government, but with government and bank level security protocols.    Regulator funded by Securing Australia’s Data Levy

Storage of Data

  • Move to Token based Identity verification and storage, instead of storing actual identity document data
  • Incentivise the speed of the move to the token system with Levy discounts
  • Encryption of data should be the default, along with minimising the use of single tables for data storage, separation to prevent ease of access
  • Multi-factor authentication requirement built into key systems

Retention of Data

  • Existing Customers Only
    • Except where other legislation requires it (ie: Telco data retention)
  • Notification of deletion to customers
  • Expectation should be that only data that is necessary for business is held.
  • Penalties for the retention of former customer data

Penalties

  • IMMEDIATELY implement penalties for the publication of breached user data
  • IMMEDIATELY implement higher penalties for Scams, Blackmail, Ransom of Australians 
  • Data breach penalties raised to $100,000,000 and be based on size of company and scale of breach as a percentage of total user base
  • Securing Australia’s Data Levy to fund regulator to undertake spot checks of Storage and Retention policies and implementations in businesses
  • Data retention and storage breaches should be investigated, checked, and penalised in the normal course of business, not only after a breach has occurred.

Education

  • A blanket campaign covering “what is a scam” – “how to spot a scam” – “blackmail and ransom”