A high-profile Australian data hack has left the country¡¯s universities in an ¡°absolute conundrum¡± as they balance the risk of holding on to people¡¯s personal information against the consequences of discarding it prematurely.

A Brisbane forum has heard that last month¡¯s data breach at telecommunications company Optus, when cybercriminals obtained the names, dates of birth, phone numbers and email addresses of an estimated 10 million Australians ¨C and driver¡¯s licence, Medicare and passport numbers of hundreds of thousands ¨C has left universities in an invidious position.

¡°One of the ways we combat [fraud] is to require institutions to collect more and more identifying data on individuals to prove they are who they are,¡± Queensland University of Technology chancellor Ann Sherry told the?National Conference on University Governance. But the Optus breach had demonstrated hackers¡¯ ability to penetrate ¡°very sophisticated systems¡±.

Universities had ¡°a very rich treasure trove of data that we hold for a whole lot of reasons, that are often legally required¡±, Ms Sherry said. This raised questions about how to balance the ¡°management of risks of fraud and the management of risks that come with cybersecurity breaches¡±.

ÁñÁ«ÊÓƵ

Commercial lawyer and data governance expert Patrick Fair said organisations subjected to data breaches faced ¡°huge costs¡± in analysing the lost information and notifying the people affected. ¡°It¡¯s just not worth¡­taking money from something else to do that, particularly the more you¡¯re facing the risk of a data breach,¡± he told the conference.

He said privacy compliance audits routinely found that organisations had failed to destroy data they ¡°no longer needed¡± ¨C often because of a ¡°misapprehension¡± that they needed to ¡°keep everything¡± to avoid being sued.

ÁñÁ«ÊÓƵ

¡°The Privacy Act says you shouldn¡¯t keep anything for longer than the purpose for which you¡¯ve collected it,¡± said Mr Fair, an adjunct professor with Deakin University. But that period could depend on the circumstances.

¡°If you build a dam, you might want the contracts for that dam to be there for some time in case the crack emerges after 30 years,¡± he said. Institutions also needed to weigh the risk of being pinged for ¡°destruction of evidence¡± if they discarded data subsequently required for a lawsuit.

¡°It¡¯s an absolute conundrum,¡± Mr Fair acknowledged. ¡°I¡¯m not sure how we can develop a methodology¡­where we anticipate in advance how long we¡¯re going to keep information, and we tag it for destruction when it¡¯s filed, so that that can be done quickly and effectively in compliance with the Privacy Act.¡±

Former home affairs minister Karen Andrews said the Optus breach had been a ¡°serious wake-up call¡± for many enterprises, including research organisations. ¡°The risk now for Optus, apart from the enormous reputational damage¡­is that it may well be that Optus has kept data that it didn¡¯t need to keep.

ÁñÁ«ÊÓƵ

¡°We won¡¯t know that conclusively, probably, for some time now. But data has been kept. At least 10,000 identities are now being sold¡­on the dark web.¡±

She told the conference that the lone positive from the breach was that it had heightened people¡¯s awareness. ¡°Once that data is stolen, you will be quickly subject to most likely a ransomware attack. Globally, there¡¯s a ransomware attack every 11 seconds. Ransomware attacks are the break and enters of the current century.¡±

john.ross@timeshighereducation.com