Data security: why regular inactive customer account purges are a must
As a result of recent cyber attacks in Australia, cyber criminals have reportedly fraudulently accessed over 15 million customer accounts and made thousands of online purchases, affecting businesses such as Dan Murphy’s, Event Cinemas and Guzman y Gomez. In the wake of these recent attacks, it is crucial for businesses to review their approach to data security and data retention.
Under Australia’s Privacy Act, if a business to whom the Australian Privacy Principles applies (APP entity) holds personal information about an individual, the business must take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11.1). If the business no longer needs the information for any purpose, it must take reasonable steps to destroy the information or ensure it is de-identified (APP 11.2).
In its recent 2023 Data Governance Report, the Governance Institute of Australia reported that less than a third of organisations regularly purge data. The most common time period for data purging is annually.
As cyber attacks such as the ones recently reported become more prevalent and more sophisticated, it is important that businesses regularly turn their minds to deletion of unused customer data and inactive customer accounts. Taking proactive steps in this regard can assist in mitigating the impact of cyber threats.
Unsurprisingly, security and destruction of personal information have been identified as areas of increasing concern in the Commonwealth Government’s response, released in September 2023, to the Attorney‑General’s Department’s Privacy Act Review Report released in February 2023. A key aim of the proposed privacy reforms is to reduce the amount of personal information being collected and held by APP entities. The recommendations around data security, and data destruction have been largely agreed or agreed-in-principle by the Commonwealth Government.
Specifically:
- The Government agrees the Privacy Act’s existing security obligations should be enhanced by specifying that ‘reasonable steps’ in APP 11 include both technical and organisational measures (recommendation 21.1).
- The Government agrees APP guidance issued by the Office of the Australian Information Commissioner (OAIC) should be revised to articulate what reasonable steps should be taken to keep personal information secure (recommendation 21.3) and to destroy or de-identify personal information (recommendation 21.5).
- The Government agrees in-principle (subject to further review) that APP entities should be required to establish their own maximum and minimum retention periods for personal information they hold (recommendation 21.7) and specify these retention periods in their privacy policies (recommendation 21.8).
Safeguarding data requires a proactive approach. Regularly reviewing and updating data security and data retention and deletion policies and processes is an important step in protecting businesses, customers and data from cyber criminals. Failure to do so creates a risk of breaching Australian privacy laws, and leaves businesses and customers vulnerable to cyber threats similar to the recent incidents highlighted in the media.
This article provides general comments only. It does not purport to be legal advice. Before acting on the basis of any material contained in this article, we recommend that you seek professional advice.
Co-author
Name: Narisse Fechner
Position: Lawyer
Practice: Transactions
Cyber Alliance Group
The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.
Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.
Find out more about our involvement with the Cyber Alliance Group.
Our expertise
Our team of cyber and information security specialists advises clients at each stage of the data lifecycle – from proactive risk management to incident response and recovery.
From the outset, we work closely with our clients to identify and manage internal and external data privacy and security risks through legal documentation, establishment of appropriate board and management governance arrangements, policies and procedures, on-boarding arrangements and IT protection.
Should a cyber incident or information breach occur our team will be right by your side to advise and assist you with response, damage mitigation, recovery and obtaining legal remedies.
Find out more about how our expert cyber and information security team can assist your business here.