Labor to reconsider mandatory data retention laws for companies in light of major hacks
Following several high-profile data breaches in the past year, the federal government will review laws requiring companies to retain data as part of its new cyber security strategy.
Released on Wednesday, the 2023-30 strategy notes that data is increasingly used for ransom attacks and as a tool for coersion.
“Mishandling of sensitive and critical datasets can cause grave damage to Australia’s national interests,” it says. “Technological advancements have enabled malicious actors to develop vast data profiles on businesses, individuals and officials for intelligence gathering and commercial purposes.”
The strategy points out that businesses have voiced concerns that they are required to store substantial amounts of data for excessive periods of time, making them potentially high-value targets for hacking.
This was something raised in the wake of the Optus and Medibank data breaches, where tens of millions of customer records dating back years were exposed, with some then ending up on the dark web.
The controversial mandatory data retention legislation, passed in 2015, requires telecommunications companies to hold a range of customer information including name, address, location information, call records and other data for two years to allow access by law enforcement.
To address the concerns of businesses, the federal government said that in addition to the Privacy Act reforms already under way, the government would also review federal legislative data-retention requirements to determine “whether existing provisions are appropriately balanced”, with a view to minimising or simplifying retention requirements.
Alistair MacGibbon, senior strategy officer at CyberCX, told Guardian Australia a good rule of thumb was that businesses cannot lose or misuse data they do not keep in the first place.
“We need corporations and government to have that view, but that doesn’t mean no information should be collected or retained, including for law enforcement purposes. I think it’s a really sensible discussion to have.”
MacGibbon said there was a tendency for businesses to misinterpret their collection obligations, and that there was value in reviewing the existing laws to see if they were still fit for purpose.
“You should never have set-and-forget for any technology or legal situation … society changes.”
He said it was also important to distinguish what data needed to be retained by government, and how accessible that data may be.
“Some of the worst data breaches we’ve seen are to do with data that should have been under lock and key in cold storage, not hot or warm storage of an organisation where criminals can then steal it.”
There will also be a review into the murky world of data brokering – where companies collect data about their users and sell it to other companies. The review will look at whether more action is required to address the risks.
California passed a law last month that will allow people to request all data brokers in the state to delete the data held on them.
MacGibbon said a crackdown on brokerage would be welcome news.
“We have allowed an economy to develop where supposedly cool services can be delivered off the data that’s collected from citizenry that didn’t understand or know that they were allowed, that they were even giving their consent. And absolutely, there needs to be a clampdown on data and brokerage.
“It’s an anathema, but in 2023 these are unregulated industries – we would never allow it offline.”