The Optus and Medibank cyber attacks in recent months has put a spotlight on the issue of hacking, identity theft, fraud and general data protection in Australia. With the AFP working hard to bring those responsible to justice, it’s now time for the Government to step up and not just talk, but act, to make Australia stronger and more resilient in the wake of these attacks.
It sounds like just words for words sake, but I believe the Government has a mandate from Australians right now to step up and step in to help prevent the widespread issues that might come from these attacks in the future, but also to help protect them.
Now I don’t fully understand legislation and how it all has to work, but I don’t think for a second this needs a year long enquiry to see what needs to happen, and happen fast.
My plan – Let’s call it “Securing Australia’s Data” covers six key areas (already sounds like a policy doesn’t it?). They are:
Let me cover those off one by one. Stick with me. I think you might agree with some, not others, and I’d welcome your comments on Facebook and Twitter where they are constructive.
One of the key things we’ve all learned is that our Identity is precious, and while Governments have done a lot to make it harder to steal them using just document numbers and other Identifying information, it’s still a huge risk if our ID document numbers or associated information is stored by companies we deal with.
To counter this, the Government should expand MyGovID system to be stronger and open to use by third parties outside of Government. This open access would not allow any data to be pushed out by MyGovID, instead the system would operate on a TOKEN basis, in a similar way that our tap and go smartphone payment systems work. (When you tap your phone to make a payment, your phone doesn’t “Transmit” your credit card info, it just sends a token unique to that transaction).
This concept means that your Licence number, passport number, no personal info would ever need to be shared with a Telco, Insurer or other company – just use MyGovID to authenticate.
The biggest risk to Australians over the last month has been the possible fraud that would come from Identity theft. Now leaving aside the above as a brilliant preventative measure, Aussies are still human, and may hand over their IDs in other forms of scams or phishing.
What we saw with the Optus Hack was a concern that your identity would be taken and Credit or Loans would be applied for on your behalf.
The Government should create an “on/off” switch for our personal credit. Off By default, this “switch” would mean that no credit could be applied to under your name. If you were planning to apply for credit, you would turn it back on.
Banks, credit card companies, Buy-Now-Pay-Later companies and all lines of credit applications would need to incorporate this digital check into their application process. Of course, they would all wisely advise any applicant to turn the switch “on” to ensure you aren’t rejected and draw out the process.
And the switching “on” could be a time-limited thing.
This one simple move would completely wipe out the false credit scam market and be a game-changer for Australians.
Legislation should require the move to the digital ID system for companies over a threshold of customer numbers and or revenue. Moving to that system would be incentivised by the lowering of data security levies (I’ll explain this later).
In addition, recommendations around the encryption of data, along with minimising the storage of all user data in a single table (which makes ease of access much easier), and enforcing Multi-factor authentication for daily and remote use.
Frankly, this is a tough area to legislate, so it will likely be used more as an incentive to meet these goals as part of the overall strategy.
Companies should not be allowed to store ANY data of former customers. The only exception here would be other legislation such as the Telco act which for law-enforcement reasons requires telcos to keep logs and metadata for a couple of years. But once those are passed, ALL data is erased.
Customers should receive a notification of deleted data at the time of leaving the business.
A clear expectation should be set around which data is stored, and an easy to read public statement on this accessible on websites so customers know what data is kept. Penalties would be introduced for the storage of former customer data.
Companies are money driven. If the cost of the fine is far lower than the cost of implementing strict security protocols, they will opt for the risk and the potential fine.
For this reason, the Government should without delay implement extreme penalties for data breaches.
These penalties should number in the tens of millions of dollars. Companies like Medibank or Optus should be facing a $100,000,000 fine here – that would make them re-think their security choices.
Additionally, to protect Australians, there should be vastly higher penalties for the publication of breached user data, and likewise for anyone convicted of engaging in scams, blackmail or ransom activities.
Regular spot checks and investigations should be possible under this legislation, meaning a company can come in and be checked for compliance against these regulations and liable for penalties even when there has been no breach.
A Data Security Regulator should be tasked with keeping Aussie companies honest, and secure.
Australians need to see far more education on Cyber Security. “What is a scam” – “how to spot a scam” – “blackmail and ransom” all front and centre, year round.
Case studies and examples of how a little can lead to a lot, and how a DigitalID is a more secure future.
The “Australian Data Security Regulator” (ADSR) would be in charge of all things data security – of course. From the compliance, to education and fines. ScamWatch – currently run by the ACCC should move into this regulator as it deserves its own home.
All companies with revenue over $10,000,000 (for example) should be subject to a “Securing Australia’s Data” Levy, which would find all these activities. Incentives, or discounts on that levy would be available for high levels of compliance.
The bottom line is, there are things that can be done. And they don’t need to take years.
These are just ideas, though starters and concepts – what we need now is leadership and discussion, but not too much chit-chat. Let’s get this done.
Below are my dot points which outline the above concepts at a glance.
Protecting the Identity of Australians
Protecting the Credit and Finances of Australians
Storage of Data
Retention of Data
Penalties
Education
One of Australia’s cheapest utes – the LDV T60 – has a new flagship variant…
If you were a die-hard rev head, owner of a Porsche Sports-car and a Ford…
Due to be switched off at the end of June and despite five years notice,…
In what will result in a decent shake up of the Australian Telco landscape, NBN…
The boss of Honda Australia says the Japanese brand is here to stay despite two…
The new Honda Accord Hybrid will debut a range of new technology for the Japanese…