InfoGovANZ

Information Governance Think Tank

Data & Infonomics

Dark Data – the risks, costs and ESG

by

Dark data poses potentially significant risks and costs for organisations. Additionally, with an increasing focus on ESG reporting, organisations should be considering how they can measure and report on each element of ESG with respect to data being collected, generated, used and stored.

This article by Susan Bennett considers the often-overlooked energy costs of storing data, particularly as we move into the age of AI, together with the risks for organisations arising from increasing privacy and cyber security regulatory requirements. The regulatory enforcement focus on data minimisation, requires organisations to implement active data disposal and regulatory requirements to implement adequate systems and processes to protect and secure data and information. This means more than ever that organisations need to be proactive in implementing robust information and data governance and measuring the ESG of data.

The problem of dark data

Dark data is data that is collected or generated and then not utilised by the organisation. As data storage is relatively cheap compared to traditional archiving costs for hard copy records, organisations have been collecting, generating and storing exponentially increasing volumes of data. According to the Digital Decarbonisation research, up to 65% of data generated is never used and up to 15% is out of date.[I] Unless data being held is accurate, accessible and is being utilised, it is ROT. That is, data that is redundant, outdated, trivial or transitory. Data ROT poses a number of risks and potentially significant costs to organisations including:

  • Data Breaches and consequent regulatory investigations and class actions arising from:
  • Exposing personal data in breach of privacy regulations
  • Exposing personal data, which should have been destroyed or de-identified as it was no longer required and therefore, in breach of relevant privacy regulations.
  • eDiscovery costs in litigation, Royal Commission and regulatory investigations.
  • Inefficiencies arising from delays for employees in identifying and accessing up-to-date and accurate data and reliable information on which to carry out their day-to-day work and for good decision-making within the organisation.
  • Lack of data integrity, which may impact the quality of decision-making made at all levels within an organisation, including in AI and generative AI uses within organisations.
  • Storage costs and increased energy consumption.

Data Value

The focus on data is often discussed in terms that leads many executives and board directors to believe that data being collected and stored is or can be of value. However, decision-making or insights drawn from outdate, unreliable, or biased information is unlikely to produce any value and may give rise to legal risks and consequences. Data is of value when it is accurate, reliable and accessible and where insights and information produced from analysis enable good decisions to be made, deriving value for the organisation and ultimately delivering returns to the bottom line, as shown in the diagram below.

Figure 1 Data Value Delivering on Strategic Goals

To reduce the risks and costs arising from storing organisations, it is important that organisations implement robust information governance and robust data and information lifecycle management – read more about how to implement these in The Information Governance Primer here and the Information Lifecycle Management: what is it and how it reduces risk? here.

Figure 2 Information Lifecycle Management

ESG risks and costs of data

Organisations need to be taking action to manage data to minimise risks and their digital carbon footprint. A report by UTS’s Institute for Sustainable Futures Institute released in July 2023 on ‘IT & Data Centre Sustainability in Australia’ has highlighted that the data centre industry is ‘exposed to significant ESG (environmental, social, and corporate governance) risks that have largely escaped our collective attention’, including the increasing need for cooling combined with huge demands for data. The report included a survey of sustainability professionals conducted between May and June 2023. The key insights from the survey included the following:[ii]

  • Sustainability professionals rely on quality data to inform their actions. Only 5% of respondents felt that the quality of sustainability-related data received from Data Centre service operators was detailed. 46% of respondents were receiving no sustainability-related data. In total 59% of respondents either had insufficient, or no sustainability-related data from Data Centre service operators.
  • 77% of respondents either agreed, or somewhat agreed, that organisations cannot reach their sustainability goals without significantly reducing Data Centre energy usage.
  • 48% of respondents were fully aware or had some awareness of the amount of energy that data centres consume. However, 29% of respondent’s organisations did not consider Data Centre energy consumption at all. Only 22% of respondents indicated that their organisation pays sufficient attention to Data Centre energy consumption.
  • 81% of respondents thought that demand for data management would increase with 21% stating it would significantly increase whereas 19% of respondents did not think demand for data management would increase.
  • Over 70% of organisations surveyed had sustainability of data centres prioritised data centres in their practices, but only 9% were fully considering it. Only 15% of respondents indicated sustainability issues were a critical consideration for their organisation in procurement for Data Centre service providers.
  • The most cited constraints when addressing Data Centre sustainability issues were knowledge and awareness of sustainability risks (21%), insufficient budget (18%) and poor-quality data (16%).

Energy Costs of Data Storage

The Digital Decarbonisation Project, which is funded by the UKRI National Circular Economy Research Hub and involves academics from Loughborough University states that, ‘despite the media’s focus on carbon emissions from the automotive, aviation, and energy sectors, the data industry is likely to produce more emissions than these industries combined.’[iii]

The UTS report states that currently and predicted CO2 emissions from software-related activities, account for 4-5% of global emissions. The report goes on to predict that by 2040, ‘it is estimated that software-related CO2 emissions may account for 14% of the world’s carbon footprint.’[iv] In relation to data centres and data transmission networks, the International Energy Agency reports that data centres and data transmission networks accounted for 0.9% of energy-related GHG emissions and that global data centre electricity use in 2021 was around 0.9-1.3% of global final electricity demand.’[v]

The UTS report explains that one of the major reasons why data centres use so much energy is for cooling. The report also points out that: [vi]

Ireland is now home to 25% of the data centres in Europe including newly constructed hyperscale Data centres. However, the large number of Data centres, with projections for future growth, is leading to instability in Ireland’s energy grid. According to Ireland’s Central Statistics Office electricity consumption by data centres increased by 32% in 2021. Over a six-year period to December 2021 electricity consumption by data centres increased by 265%. According to EirGrid, Ireland’s energy grid manager, by 2031, 28% of all electricity demand in Ireland is expected to come from data centres and other new large energy users. EirGrid is concerned that the growth of data centres is leading to grid instability citing the amber alerts issued in 2022.

The report also points out that the growth in use of artificial intelligence and digital currencies has the potential to increase the demand for Data Centre services.[vii]

ESG mandatory reporting for companies

Several recent developments in 2023 have highlighted that organisations need to come to grips with how they will measure ESG and be prepared to meet emerging mandatory ESG reporting requirements.

The European Union’s Corporate Sustainability Reporting Directive (CSRD (EU) 2022/2464) came into force on 5 January 2023 and introduced sustainability reporting requirements for EU companies, non-EU companies meeting certain thresholds for net turnover in the EU and companies with securities listed on a regulated EU market. Companies subject to the CSRD are required to disclose information about how sustainability-related factors, covering environmental, social and human rights and governance, affect their operations and information about how their business model impacts sustainability factors.

On 26 June 2023, the International Sustainability Standards Board (ISSB) issued its inaugural standards – IFRS S1 and IFRS S2 – for sustainability-related disclosures. They include IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures.

The ISSB explain that the Standards are designed to ensure that companies provide sustainability-related information alongside financial statements. The Standards have been developed to be used in conjunction with any accounting requirements.

The creation of the ISSB was announced at COP26, the 2021 UN Climate Change Conference in Glasgow, with the role of creating a global baseline for sustainability reporting. The UK government has been a strong supporter of the ISSB and is aiming to make endorsement decisions on the first 2 standards to create UK Sustainability Disclosure Standards (SDS) by July 2024.

Also in June 2023, the Chair of ASIC Joe Longo made several statements highlighting the importance of ESG reporting for listed companies in Australia including that, ‘ESG reporting is simply the next stage in a long series of important moves towards greater transparency and higher disclosure standards. Highlighting that ‘good disclosure depends on good governance’, Joe Longo said companies should be asking themselves:[viii]

  • How can sustainability and financial reporting work together to function as an integrated whole?
  • How can we ensure that marketing and advertising teams work with the legal and risk teams to ensure cohesion around sustainability-related claims?
  • What assurances and processes can be put in place to ensure that the board is appropriately informed and confident about the information that is being put out?

The move towards mandatory ESG reporting, requires organisations to implement processes to ensure that the relevant and accurate data can be efficiently collected, measured and reported upon as required. This includes companies being able to identify, measure and report upon the energy costs of dark data and minimising data within the organisation. As generative AI and large language models are increasingly used within organisations the significant increase in energy consumption and environmental and social impacts (arising from the use of personal data and/or data which may be subject to copyright) should also be measured as part of the design considerations at the outset of new data-driven technology projects.

Measuring data carbon

The Digital Decarbonisation project led by academics, Professor Thomas Jackson and Professor Ian Hodkinson from Loughborough University, has designed a tool called the ‘Data Carbon Ladder’, which can be used in new data projects. The tool helps an organisation determine the appropriate size of the dataset(s) required, the optimal frequency for updates, the most suitable storage location, and the analytics necessary for a project. The Data Carbon Ladder can provide an estimated data CO2 footprint for a project, identifying areas where improvements can be made to minimise environmental impact. The Data Carbon Ladder is aimed at helping organisations make data-driven decisions, which enhance their bottom line and also align with their sustainability goals. Read more about the Data Carbon Ladder and how to use it in the article by Jackson and Hodgkinson.[ix]

The Five Essential Key Steps for Data and ESG

  1. A process for ensuring that the organisation has a continual and reliable mechanism for identifying data repositories and the types of data held within those repositories (the ‘Data Map’). Organisations need to understand what data they are collecting, why, and where it is being stored, including data held in third-party systems and cloud storage.
  2. An up-to-date Records Retention and Disposal Policy, which is enforced. This is an essential bedrock for enabling data disposal in accordance with the expiration of the retention period.
  3. Establish (or ensure) the Information and Data Governance Committee is overseeing the continual disposal of robust data and information lifecycle with reporting to the risk committee and/or board.
  4. An AI Plan and Strategy, which links the AI Framework, Information Governance Framework and the overall enterprise risks management framework. A key problem for boards and senior executives is the lack of integrated reporting in relation to data and information risks. The linking of the AI Framework and an Information Governance Framework with the enterprise Risk Management framework is essential so that boards are properly informed of the interconnected data, technology and regulatory compliance risks.
  5. Develop measurements for Data and an ongoing annual measurement and reporting of Data ESG criteria including:
    • Auditing of data and information lifecycle in accordance with privacy, IT security, AI  policies and procedures covering:
      • Collection and re-use of data including personal data and applicable ethical requirements
      • Privacy impact assessments, AI impact assessments, IT security impact assessments
    • Costs of onsite and cloud storage (as well as the maintenance/energy and storage costs of any physical hard copy archives).
    • Measuring carbon of data stored by the organisation, including data held in data stores.
    • Measuring carbon for data-intensive projects, particularly projects using AI or large language models using large data sets.

If you are interested in learning more about ESG and Data, join The Governance in ESG Workshop – September – InfoGovANZ

Author: Susan Bennett, LLM(Hons), MBA, FGIA, CIPP/E Founder of InfoGovANZ, Governance and Privacy Lawyer

Contact: susan.bennett@infogovanz.com

[i] Digital Decarbonisation, Costs of digitalisation to society, industry and the environment – Digital Decarbonisation

[ii] University of Technology Sydney, Institute of Sustainable Futures Report, 4

[iii] Digital Decarbonisation, Costs of digitalisation to society, industry and the environment – Digital Decarbonisation

[iv] University of Technology Sydney, Institute of Sustainable Futures Report, 6

[v] Ibid

[vi] Ibid 7

[vii]Ibid 6-7

[viii] ASIC, ASIC Chair’s AFR ESG Summit speech , 5 June 2023

[ix] Thomas Jackson and Ian Richard Hodgkinson (2023) Is there a role for knowledge management in saving the planet from too much data?, Knowledge Management Research & Practice, 21:3, 427-435, DOI: 10.1080/14778238.2023.2192580

 

What’s happening with data from your car?

by

Mozilla released a report last week that examined the terms of service for 25 car companies and the types of data being collected.  The report states, ‘they can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!).’  Concerningly, the report provides ‘Twenty two of the car brands (88% of the ones we looked at) mentioned creating inferences — assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties.’

Included in the report is an extract from  Tesla’s Terms of Service, “if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.” [emphasis added]

Read the full report here *privacy not included Mozilla Foundation

UK Department of Education reprimanded after misuse of personal information of up to 28 million children

by

The UK’s Information Commissioner, John Edwards, has issued a reprimand to the Department for Education following the prolonged misuse of the personal information of up to 28 million children and a failure to do due diligence on who could access pupils’ learning records. An employment screening firm, trading as Trustopia, used the database to assist another organisation in checking if people opening online gambling accounts were 18.

Read more here.

What is ‘dark data’ and how is it raising carbon footprints?

by

In this article from the World Economic Forum, Tom Jackson and Ian R. Hodgkinson identify that organisations need to think about how to manage their data to minimise their digital carbon footprint.

Storage of ‘dark data’ defined as single-use data in the article, data takes up space on servers and results in increased electricity consumption.  The authors point out that digitization generated 4% of global greenhouse gas emissions in 2020.

To read more on how dark data contributes to carbon emissions, and how organisations can lower their carbon footprint, click here.

OAIC Notifiable Data Breaches Scheme – The first 4 years

by

The Notifiable Data Breaches (NDB) scheme commenced in February 2018, introducing new obligations for Australian government agencies and private sector organisations with an annual turnover of $3 million AUD or more. Notably, under the NDB scheme organisations are required undertake an assessment should they suspect: 

  • Unauthorised access to or disclosure of personal information, or loss of personal information where access by unauthorised persons is likely to occur, 
  • Serious harm to the individuals to whom the information relates is likely to occur, and 
  • The risk of serious harm cannot be addressed through remedial action. 

If the assessment indicates that serious harm is likely to result from a data breach, they must notify the Office of the Australian Information Commissioner (OAIC) as well as all affected individuals so they can take action to address possible consequences and also. As data breaches and subsequent investigations are often significantly complex, an organisation or agency is given a baseline of 30 days to assess whether a data breach is likely to result in serious harm. However, once the organisation has formed the view that a data breach has occurred, individuals who may be seriously impacted by the data breach must be notified as soon as practicable. For example, in their recent data breach Optus has indicated that the assessment process took place over the course of no more than a couple of days prior to start of the notification process. 

The OAIC has published bi-annual reports summarising the details of reported data breaches since 2018 and this article examines some of the identifiable trends in these reports over the past four years. The OAIC report for the most recent 6-month period (Jan-Jun 2022) should be released in the next few weeks, however some released statistics from the impending report indicate that the observed trends discussed in this article continue through the most recent period. The full OAIC reports are available from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics, and further information is available on the OAIC website: https://www.oaic.gov.au/privacy/data-breaches 

Organisations that fail to report a notifiable data breach can be subject to the same penalty as if they committed a serious or repeated breach of privacy, however organisations may look for a defensible reason to avoid reporting a breach as opposed to having to report a data security failure to the regulator. Even serious breaches where substantive personal data has been lost might be considered non-notifiable should the breached organisation feel they have undertaken sufficient remediation action which lessens the chance of serious harm.  

Ransomware attacks, one of the common externally perpetrated data breach events, have evolved in recent years to extend beyond holding data in an encrypted state and often now include the exfiltration of sensitive data from target organisations. Data is often held by the attacker, with the threat of publication on the dark web balanced against payment of the ransom. Should the breached organisation make payment of the ransom, the attacker generally will agree to delete the exfiltrated data. While it is essentially impossible to be certain that all copies of this data have been deleted, a breach organisation is likely to consider such an arrangement as sufficient “remediation” of the breach event in that the likelihood of the data being used in such a way that would cause serious harm to individuals is substantially reduced. In such circumstances, the breached organisation may choose not to report the incident to the OAIC, despite the severity of the initial data breach.

Breach Notification Trends 

Due to the complex nature of data breaches and reclassification of notifications over time, there is some variation in breach notification statistics between the time of OAIC publication and the present date. The stats shown in this article are taken from each quarterly/bi-monthly report which reflected notification data at the time of report publication, however it should be noted that breach statistics will have changed to a degree from what we have summarised from the OAIC reports. 

Over the past 4 years, there have been more than 3,500 reported data breaches, of which 60% were Malicious (or criminal), 35% were Human Error and 4% were due to System Faults. Taking into account that 2018 was a partial reporting year, approximately 1,000 breaches would have been reported to the OAIC across 2018 and 2019, with a slight uptick in 2020 and a substantial reduction in 2021. A summary of the data breach notifications made to the OAIC are displayed in the table immediately below 

Year  Breaches  Change  Malicious  Change  Human error  Change  System fault  Change 
20181  749    449    265    35   
2019  997  0%  625  +4%  329  -7%  43  -9% 
2020  1,057  +6%  627  0%  380  +16%  50  +16% 
2021  910  -14%  545  -13%  324  -15%  41  -18% 
Total  3,713    2,246    1,298    169   

 The table above also shows that malicious action breach incidents (combining both internal and externally originated) increased in 2019 compared against “non-malicious” breach types, however this trend was reversed in the following year. This was followed by was a slight reduction in all types of breach notifications in 2021. Overall, the OAIC NDB reports show a fairly flat trajectory over the length of the scheme.  

Conversely, US data on publicly reported data breaches over this time period shows year on year increases between 2018 and 2021, effectively doubling from 1,244 to 2,407 per year over this time period2. It is worth noting that data breach reporting requirements in the US vary from state to state and are substantially different to the Australian NDB scheme. However, the significant difference in the overall trend of breach reports is still interesting, particularly as the US Data indicate that the number and severity of malicious cyber-attacks appear to be increasing over time 3 in contrast, the declining number of reported malicious breaches (as well as non-malicious breaches) in the Australian NDB data suggests there may be other systemic factors at play with regards to the number and type of breaches reported under NDB scheme.   

Number of individuals impacted by a breach 

As can be seen in the table below, the majority of data breaches tend to have low numbers of individuals affected by the breach. However, the number data breaches affecting large numbers of individuals remained fairly steady over the data period, indicating that a significant proportion of the Australian population is likely to have been impacted by a data breach throughout this time period. 

Year  Total Breaches  <1k  1k-5k  5k-10k  10k-25k  25k-50k  50k-100k  100k-250k  250k-500k  500k-1m  >1m  Unknown 
2018  749  638  61  15  9  1  4  4  1  0  2  14 
2019  997  834  74  19  16  7  5  5  2  0  5  30 
2020  1,057  890  90  12  13  14  6  2  4  2  7  13 
2021  910  787  71  12  15  7  5  4  2  1  4  2 
Total  3,692  3,149  296  58  53  29  20  15  9  6  16  59 

Kinds of personal information (PI) involved in breaches 

The majority of personal information present in data breaches was contact information, followed almost equally by financial and identity information. The proportions of personal information types present in data breaches has not changed significantly year to year, indicating that there has not been significant changes in the how organisations are holding or protecting particular types of personal information over this period.  

The higher number of breaches relating to contact information will be, to some degree, a function of the fact that only certain organisations need to hold more specific personal information about their customers. Despite the apparent lower impact from breaches relating to contact information, such data is still of substantial value for cyber-criminals for use in phishing and other targeted attacks, and may also be combined with information from other data breaches for more specific criminal use. 

Year  Contact Info  Financial Details  Identity Information  TFN  Health  Other sensitive information 
2018  647  335  273  186  148  61 
2019  817  398  293  255  157  85 
2020  890  408  439  272  184  134 
2021  803  376  432  256  184  140 
Total  3,157  1,517  1,437  969  673  420 

Maliciously originated breaches 

Most forms of malicious/criminal attack have been fairly consistent year-on-year, however ransomware in particular has been increasing year on year and 45% of all ransomware incidents occurred in 2021. The steady increase in this form of money-motivated cyber-attack aligns with anecdotal and industry reports of increases in this type of activity from organised cyber-criminal gangs and certain nation-state actors. 

It is interesting to consider the Optus data breach in the light of whether it would be considered a maliciously originated breach, a system fault, or a combination of both. While it certainly appears the case that a maliciously motivated individual or group has exfiltrated Optus customer data, the methods used remain a matter of debate and have not been fully confirmed by Optus or the federal government. Should it have been the case, an oversight which results in an API (Application Programming Interface) connected to a customer details database being left in an open state to external connections would almost certainly be viewed as a failure of internal systems and procedures. Optus’ CEO has indicated that the breach cause was not as straightforward as this, suggesting a more complex cause involving specific malicious technical action. 

Year  2018  2019  2020  2021  Total 
Malicious Breaches  449  625  627  545  2,246 
Theft paper/Storage  73  80  53  61  267 
Social Engineering  28  52  84  65  229 
Rogue Employee/Insider Threat  41  71  60  54  226 
Cyber (ALL)  307  422  430  365  1,524 
Cyber – Phishing  125  146  132  113  517 
Cyber – Stolen Credentials  79  140  108  100  426 
Cyber – Ransomware  18  29  69  86  202 
Cyber – Hacking  27  34  59  31  151 
Cyber – Brute  34  25  30  18  107 
Cyber – Malware  20  37  24  16  95 
Cyber – Other  5  10  9  2  26 

Human error breaches 

The majority of human error breaches are due to wrongly addressed emails, and this has been consistently the highest category, even with the 15% reduction in 2021.  Unlike malicious or systemic breaches, human error breaches – as classified by the OAIC – have limited technical controls that can be implemented to assist with prevention. Instead, education and procedure remain the best defence against these type of breaches. 

Year  2018  2019  2020  2021  Total 
Human Error Breaches  265  329  380  324  1,298 
Wrong email recipient  74  101  160  136  471 
Wrong hardcopy recipient  33  30  37  18  118 
Loss of hard/soft storage  34  40  25  23  122 
Unintended release/publication  41  76  62  71  250 
Failure to use BCC  22  18  30  25  95 
Failure to redact  14  19  20  23  76 
Unauthorised verbal disclosure  8  19  18  11  56 
Insecure disposal  8  5  2  0  15 
Wrong Recipient (Other)  19  21  25  17  82 
Other  12  0  1  0  13 

 

Business Sector Activity 

The Health, Finance and Business Services sectors collectively made up over 45% of all reported breaches in 2019 and 2020. In 2021, where a substantial reduction of breaches reports were made compared to previous periods, the combined breaches in there three sectors were still approximately 40% of the overall reports. Maliciously originated data breaches in the Legal, Accounting and Management sector was the only category to see a substantial rise in 2021, with almost all other types of breaches in these sectors seeing a decline from the previous year. 

Given the level of highly personal information held by Health sector organisations, the fact that these organisations feature so highly in the NDB statistics is of cause for specific concern. While federal and state legislation provides guidance for the collection, management and use of health data, as well as highlighting the highly confidential nature of such data, Australia currently does not have an equivalent to the US HIPA Act where substantive penalties and sanctions can be levied specifically pertaining to non-criminal use or loss of health data.

Sector  2019  2020  2021  Total 
Health – Malicious  111  97  87  295 
Health – Human Error  106  135  74  315 
Health – System Error  5  6  7  18 
Finance – Malicious  77  98  57  232 
Finance – Human Error  59  47  44  150 
Finance – System Error  10  11  12  33 
Legal, accounting & management – Malicious  60  42  61  163 
Legal, accounting & management – Human Error  25  22  24  71 
Legal, accounting & management – System Error  2  5  1  8 
Total  455  463  367  1285 

The OAIC provide details on the top 5 sectors reporting data breaches over each period. As only the Health, Finance and Legal, Accounting & Management sectors have consistently appeared in the periodic reports, and only the 2019-2021 reporting periods include complete data, only the data from those three sectors and three periods has been included in this analysis.  

 

Observations 

The OAIC official data breach statistics show an overall declining trend in reported breaches under the NDB scheme. On the surface this would potentially represent a good new story – in that organisations are becoming better at preventing data breaches and successful malicious attacks on organisations may becoming fewer. The counter-argument to this observation is the legal advice and remediation response organisations are using to inform their decisions on whether a breach falls under the NDB may have changed over time, resulting in fewer breaches being reported rather than fewer breaches actually occurring. 

The recent data breach incident at Optus has highlighted the widescale impact that a large data breach can have both on the breached organisation and the individuals to which the data belonged to. In terms of the scale, size and type of data that was taken, in addition to the media coverage, there would be little chance that any person assessing this breach would consider that it would not require mandatory reporting. However, in circumstances where a less comprehensive data set was exposed, with substantially fewer affected individuals, the potential for serious harm may not be considered as high, resulting in variable decisions to report.  

A smaller scope breach just involving loss of customer name and address information might be considered to hold lesser chance to cause serious harm by themselves. When such a breach is potentially remediated – say by payment of a ransom – it may be the case that an organisation feels that the breach no longer meets the threshold to require mandatory reporting and notification of affected individuals. However there is little in the way of guarantees that organisations can seek from cyber-criminals who hold exfiltrated data at ransom. The destruction of this data upon payment of a ransom is entirely in the control of the criminals and cannot be verified by the organisation.  

It is also worth noting that a somewhat “lesser” data breach containing names and addresses may be combined with data sets containing account details, passwords and identify information obtained from other breaches. In a similar way that de-identified “Big Data” sets hold the potential for  “re-identifcation” of individuals, combining multiple data sets residing on the dark web following successive breaches of different organisations results in a substantially higher chance of serious harm to affected individuals over time. As such, the OAIC and the Federal Government may wish to consider the provision of further guidance around notification requirements based on the type of data that exposed during a breach as well as what successful remediation of a breach should cover. 

The Optus data breach has also demonstrated that certain types of organisation are required for regulatory reasons to collect more personal information than others. There appears to be substantial uncertainty in the various regulations governing this requirement as to the length of time such information needs to be held and also as to how such information can be used and must be protected by the collecting organisation. Undoubtedly both Federal and State governments in Australia have observed this issue in recent weeks and it can be hoped that specific actions clarifying and improving regulatory requirements around collection, storage, use and disposal of personal information by Australian organisations will be forthcoming in the near future. 

 

Other obligations in reporting an NDB 

Organisations may have other obligations outside of those contained in the Privacy Act that relate to personal information protection when responding to a data breach. These may include data protection obligations under state-based or international data protection laws. Notably, Australian businesses may need to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR) if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. 

For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities may need to consider reporting breaches to: 

  • the entity’s financial services provider 
  • police or law enforcement bodies 
  • the Australian Securities & Investments Commission (ASIC) 
  • the Australian Prudential Regulation Authority (APRA) 
  • the Australian Taxation Office (ATO) 
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC) 
  • the Australian Cyber Security Centre (ACSC) 
  • the Australian Digital Health Agency (ADHA) 
  • the Department of Health 
  • State or Territory Privacy and Information Commissioners 
  • professional associations and regulatory bodies 
  • insurance providers.

Useful resources 

Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy 

Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/ 

IDCare https://www.idcare.org/about-idcare/what-is-idcare 

Scamwatch https://www.scamwatch.gov.au/ 

MoneySmart https://www.moneysmart.gov.au/ 

The Office of the eSafety Commissioner https://www.esafety.gov.au/ 

Author

Dr Peter Chapman, Director, Forensic Technology – KPMG

Thank you to Matthew Golab, Director – Legal Informatics and R&D at Gilbert and Tobin, for his analysis of the OAIC reports and contribution to this article.

Five Common Misconceptions about Structured and Unstructured Data

by

Key Takeaways:

  • Structured data is quantitative (anything you can easily store in rows and columns) and relatively easier to keep compliant.
  • Unstructured data is qualitative (think your emails and Teams chats) and much harder to manage.
  • Nearly all organizations are operating under one or more misconceptions about their data (and compliance or lack thereof with new privacy laws!).

The Two Types of Data Your Organization is Accumulating (and Why You Should Care)

We’ll start with why you should care.

If you’re familiar with the data compliance space, you already know that new laws require your organization to take specific steps to protect the rights of anyone whose data they hold. (If you’re not familiar with data compliance – surprise!)

The first step to maintaining compliance with these laws is understanding what data your organization actually has. Not having this understanding is dangerous for three reasons:

  • The less you know about your data holdings, the more likely they are to contain noncompliant data. Which means legal action and large fines if they stay that way.
  • In today’s world, it’s not if your data gets breached, it’s when. You want to ensure your data’s in top shape to preserve your organization’s reputation.
  • Cost! And not just in fines and breach remediation expenses. Chances are your organization doesn’t need most of the data it’s holding, and therefore could be saving a bundle on data storage.

The first step to understanding your data holdings is to understand the difference between the two main types of data: structured and unstructured.

Structured data is what probably comes to mind when you hear the word “data”: spreadsheets on spreadsheets filled with quantitative information. Essentially, structured data is anything you can store in rows and columns, such as information stored in databases (think SQL), CSV files, and so on. It’s easily understood and analyzed by applications other than the ones that generated it, and it doesn’t scale easily – which is good for privacy purposes. It doesn’t grow out of control on its own, at least not for a long time.

Unstructured data is the qualitative data naturally generated from interactions with people. Think the text stored in your emails, Teams chats, social media, and websites. It can also comprise images, PDFs, Word docs – anything you can’t store in rows and columns. It’s not usually in a format that other applications can easily understand and analyze. And it multiplies like you wouldn’t believe: how many emails have you sent and received just this week?

Both types carry their own risk, but unstructured data is by far the riskier of the two. In today’s world, we generate it so quickly and in such high volume – and with such little organization –  that it’s functionally impossible to keep track of without using data discovery software.

On the flip side, once you have the right tool, getting to compliance becomes exponentially easier. When you can visualize all your unstructured data, you can see what’s out of compliance, fix that right quick, and understand where your policies and workflows need to change to keep everything above board.

Some Common Misconceptions Your Organization Might Have

We all know an ounce of prevention is worth a pound of cure. And yet: most of us don’t go to the doctor until we get sick.

The compliance world is no different. With regulations still relatively new, most organizations don’t fully appreciate the urgency surrounding the issue – and won’t until they themselves get breached.

If your organization is anything like most, you’re probably operating under one of the following misconceptions.

Misconception #1: We Already Know What Data We Have

Name the last time you checked your Teams log. Or your Downloads folder. Your email archives? You get the idea.

People – and companies – don’t typically monitor or clean these types of things without a push. Without the proper privacy functions in place, we’re liable to think the trash in the ocean isn’t a problem. Until, of course, there’s an island of it.

Misconception #2: We Won’t Get Breached

There is a roughly 30% chance your organization will get breached this year. This stat increases every year.

It’s also possible you’ve already been breached. According to IBM’s annual Cost of a Data Breach report, the average time to identify and contain a breach in 2021 was 287 days.

When you get breached, you can cut the time and expense involved significantly – nearly entirely – by already being in compliance. Compliant data equals a quick, cheap(er) remediation with no additional reputational damage on top of the fact that the breach occurred.

Misconception #3: It’s Too Expensive to Figure Out What We Have

According to that same IBM report, the average cost of a breach in a hybrid cloud environment was $3.61 million. On top of that, compliance failure was the top factor found to amplify data breach costs. And remember, it’s not just the cost of remediating compliance flaws you have to worry about. Regulatory fines are getting steeper every year.

Misconception #4: It’s Too Labor Intensive – We’d Need a Team of Experts

Since data privacy regulations are so new and the solution market is still growing, it’s easy to believe you’d need in-house specialists to operate whichever data discovery solution you ended up going with.

Not if you choose the right one! Specifically, you want to make sure you select a solution that’s purpose-built for ease of use. From deployment to monitoring and at every stage in between, no expert knowledge should be required. Don’t go with a solution that’s been repurposed from another area of the market, such as data loss prevention or data access management.

Misconception #5: Traditional Data Inventory Methods Still Cut It

Back in the day, and still sometimes today, organizations would build data inventories through manual assessments and questionnaires: they’d basically ask their staff what data they thought the organization had.

In today’s world, with data accumulating and multiplying by the second, a manual static inventory won’t do the trick. It’s obsolete as soon as you create it.

To ensure continuous compliance, you need real-time visibility into your data.

Learn more

To learn more about data protection, security and compliance, listen to this podcast published on the Society of Corporate Compliance’s blog.

For more information on how to achieve cost effective and lightning speed visibility into your unstructured data so you can mitigate risk, check out ActiveNav Cloud.

 

Author

Simon Costello, VP – APAC, ActiveNav

New Data Availability and Transparency Act 2022 in force

by

The Data Availability and Transparency Act 2022 commenced in April.   The Act establishes a new, best practice DATA scheme for sharing Australian Government data, underpinned by strong safeguards and simplified, efficient.  For an introduction to how the Scheme works, read more at A Scheme for sharing Australian Government data. Commonwealth, state and territory government agencies can now apply to be accredited users under the DATA Scheme.  And from 1 August, Australian universities will be able to apply for accreditation as data users and as data service providers. Follow these links to learn more about participating in the DATA Scheme or to access the scheme-on-a-page overview.
Member only content (join now or login)

Doug Laney author of ‘Infonomics’ announces release of new book ‘Data Juice’

by

Data Juice is the latest book just released by Doug Laney,  author of Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage. Containing more than 100 real-world examples and expert commentaries on how organizations around the world and in every industry are monetizing their own (and others’) data in diverse ways, Data Juice is a resource for data, business, and IT leaders looking to inspire their teams or executives with ways to thrive in the Digital Age.  Further below is an excerpt from Data Juice, available to purchase now on Amazon About the author Doug Laney is the data & analytics strategy innovation fellow with the consultancy, West Monroe. Formerly he was a vice president and distinguished analyst with Gartner’s Chief Data Officer (CDO) research and advisory practice. He is an accomplished practitioner and recognized authority on data and analytics strategy, and is a three-time […]
Member only content (join now or login)

2021 Solomon Lecture

by

This year’s Solomon Lecture presented by the Queensland Office of the Information Commissioner featured Professor Beth Simone Noveck on ‘Solving Public Problems with Data’. Professor Noveck’s lecture explores how traditionally, the right to know is rooted in the belief that members of the public should know what their government does in order to hold the government to account, lessen the risk of corruption and shine a light on wasteful and inefficient operations. Beth Simone Noveck discusses how a focus on public problem solving and improving people’s lives changes how we think about data. She discusses specific policy prescriptions for creating a right to know that fosters better government, stronger citizenship and more agile solutions to contemporary challenges. Watch the Solomon Lecture here.
Member only content (join now or login)

Preventing Digital Harm

by

The World Economic Forum published Pathways to Digital Justice report to address systemic legal and judicial gaps, and help guide law and policy efforts towards combating data-driven harms. This is particularly important with the increase in online activities and digitization of services, which – when misused – can present new types of risk. The white paper, produced in collaboration with an advisory committee consisting of experts from around the world, is intended to guide policy efforts towards combating data-driven harms. The hope is that legal and judicial systems can then evolve to embed redress mechanisms that enable the creation of a data ecosystem which protects individuals and is accountable to them. Read the World Economic Forum statement here or the report.
Member only content (join now or login)

Exposure Draft of the Data Availability and Transparency Bill

by

  The draft Data Availability and Transparency Bill aims to modernise and streamline the sharing of government data between agencies and with the private and research sectors. Under the legislation, data will be shared for three purposes: government services delivery, informing government policy and programs, and research and development.  The Consultation Paper contains a simplified summary of the legislative package. Submissions made by a group of multidisciplinary practitioners and academics highlight privacy and governance concerns.  These include the override of Australia Privacy Principle (APP) 6 and the inherent conflict of National Data Commissioner whose mandate is to encourage data sharing with the enforcement of the regulation.  The submission recommends that governance and assurance be regulated the Australian Information and Privacy Commissioner.  You can read the submission here.
Member only content (join now or login)

Automated Decision Making Transparency under GIPA Act

by

The increasing adoption of technology requires the preservation, assurance and assertion of information access rights. To achieve these outcomes, government licensing and contractual arrangements should ensure accessibility and ‘explainability’ in the provision of government services and decision making. The issue of algorithmic transparency of a government agency’s contractor is currently before the NSW Civil and Administrative Tribunal. The Agency provided some information to the Applicant but decided that other information is not held by the Agency as it is held by the Contractor and remains its intellectual property. The GIPA Act provides a right to access information held in a record of an NSW Government agency and that right may also apply to information held by contractors providing services to the public. The NSW IPC has published guidance for agencies under section 121 of the GIPA Act, including a template clause for agencies to include in contracts with third parties […]
Member only content (join now or login)

Protecting Privacy by Minimizing Data

by

Posted with permission from Active Navigation, originally published on June 1. Ten years ago, there was no such thing as too much data. Notions about data being the “new oil” prompted organizations to horde every byte they could, hoping that they might be able to harness it down the road. Combined with the notion that “storage is cheap,” this belief has led many companies to exponentially increased their risk rather than their opportunity. New data privacy regulations in Europe and the United States impose a significant burden of care on organizations regarding their data collection processes. In fact, data minimization is a fundamental principle within the European Union’s General Data Protection Regulation (GDPR). Whether governed by the GDPR or state privacy regulations like the California Consumer Privacy Act (CCPA), businesses must now limit the personal data they collect and dispose of it once it is no longer needed for a […]
Member only content (join now or login)

Is Your Data Estate an Unstructured Mess? How a Spring-Cleaning Project Can Reduce Your Organization’s Risk

by

Posted with permission from Active Navigation, originally published on June 10. In this special guest feature, Dean Gonsowski, Chief Revenue Officer at Active Navigation, InfoGovANZ's Foundation Sponsor, focuses on what steps a company needs to follow to review, understand and clean-up their data to eliminate security risks. As a former litigator/GC/AGC, Dean has a proven track record of accelerating the rapid development of high growth, venture backed software companies (such as Relativity/kCura, Clearwell/Veritas, Recommind/Opentext).  He is a seasoned professional with the ability to build/manage teams, run P&Ls in executive leadership roles including Sales, Strategy, Business Development, Marketing and Professional Services. Dean has a JD from the University of San Diego School of Law and a BS from the University of California, Santa Barbara.    The volume and variety of data created in the past decade doesn’t show signs of slowing down – nor does the pace of hacking attempts. Unstructured data, also […]
Member only content (join now or login)

COVID19 – Data and Privacy

by

COVID-19 has brought to the forefront the importance of real-time accurate data for scientists to analyze and model and for government leaders to make decisions on. InfoGovANZ has complied a series of COVID-19 curated articles and resources, updated monthly. June 2020 OVIC has released new guidance on how the exemptions in the Freedom of Information Act should be applied.  OVIC has updated the FOI and COVID19 FAQs for agencies – read them here – to include questions about the new COVID-19 regulations including: what to do if your agency is completely shut down; and how to verify an applicant’s identity. Australian Information and Privacy Commissioner (OAIC) has updated it’s FOI FAQ with the latest COVID-19 relevant questions including how to make an FOI complaint during the COVID-19 outbreak. May 2020 Australian and New Zealand Information Access Commissioners join with their international counterparts in their clear call for documentation, preservation and […]
Member only content (join now or login)

COVID19 – EU, US & International Resources

by

Below is a collection of useful privacy and data protection resources from the EU, US and globally. Data Protection Authorities guidance on COVID-19 published by Data Protection Authorities (DPAs) collated by International Association of Privacy Professionals. These provide information and frequently asked questions on data processing and COVID-19 across a range of countries. Resources page on crucial privacy and data protection law issues arising from COVID-19 covering the EU & globally by Law, Science, Technology & Society of the Vrije Universiteit Brussel. The Initiative is of direct interest for LSTS researchers, most notably in the context of the Brussels Privacy Hub (BPH) work on data protection in humanitarian action as well as the work of ALTEP-DP project. US Privacy and Data Protection Resources related to COVID-19, together with other international resources has been compiled by the Future of Privacy Forum.
Member only content (join now or login)

What is Good Government Data Sharing?

by

The Australian Federal Government has been conducting an extended consultation as to how data linkage and data sharing between government agencies might be accommodated through a special purpose statute that walks the fine line of maintaining digital trust and meeting data privacy concerns of citizens and civil society organisations, while facilitated controlled good data sharing between agencies.  The Data Availability and Transparency Bill (DATA), is proposed to be released in this calendar quarter. In this in depth analysis, Professor Peter Leonard has canvassed the challenges which this new federal data sharing law will need to address and compared current proposals with existing government agency data sharing laws in NSW, Vic and SA. While Peter concludes that the DATA is a welcome development, he also notes that bigger questions loom about use of the powerful tools which data sharing puts into the hands of Governments, as illustrated by the Robodebt controversy.  […]
Member only content (join now or login)

Privacy-Preserving Data Sharing Frameworks

by

This is the third in a series of papers and develops a practical solution providing a framework for privacy preserving data sharing, addressing technical challenges as well as data sharing issues more broadly. It builds on the 2018 ACS Report, Privacy in Data Sharing: A Guide for Business and Government, expanding the concept of a Personal Information Factor and introducing a Utility Factor with worked examples. Download the report here
Member only content (join now or login)

Infonomics – valuing information assets

by

  Infonomics is the discipline of valuing Information Assets and it is based on the idea that information is an enterprise asset that should be counted and managed.  This article explains why Infonomics is becoming increasingly important. Information Assets (data, information, published content and knowledge) are arguably an organisation’s most vital and strategic resource.  Providing the right data to the right people at the right time is critical to every business activity, every business process and every business decision.  Information Assets are the only ones that cannot be replaced if lost or destroyed.  They are foundational to all high-profile business solutions and technology enablement: to analytics, artificial intelligence and machine learning; cyber-security; cloud computing; Blockchain and the Internet Of Things; and almost any form of innovation and disruption. Unlike other physical or even financial assets that can only be used once then are used-up, any Information Assets can be used […]
Member only content (join now or login)

Identity Conference 2019 – Identity as taonga: now and in the future

by

He taonga te tuakiri: āianei, haere ake nei New Zealand’s Identity Conference 2019 was the fourth in a series of conferences that began in 2008.  The conference was held at the Museum of New Zealand Te Papa Tongarewa, Wellington, on 26 and 27 August 2019.  The conference purpose or ‘big idea is to look at the identity-related problems of today and the solutions of tomorrow’.  Carol Feurriegel recounts some of the highlights from the conference.  “Identity is a complex and sensitive area. It reflects our sense of self and it is also at the heart of relationships between people and organisations. Our Identity is our taonga” to quote Professor Steve Warburton, in his keynote address as Chair of the Identity Conference 2019 on Monday 26thAugust. It is fitting that the premier event that takes a multi-disciplinary perspective on Identity is held at Te Papa Tongawera, Museum of New Zealand in Wellington. “Taonga” means ‘treasure’ in […]
Member only content (join now or login)