In November 2018, Australia's Federal Parliament passed a bill to increase data security measures across the national My Health Record system. This welcome privacy reform comes after 99 major data breaches implicated personal medical records in only 6 years around the country – including sensitive medical information from underage patients.
The recent amendments to the law allow for "permanent deletion of health records, prohibit access by insurers and employers, boost protections for people at risk of family violence, and ensure data cannot be used for commercial purposes." And not a moment too soon.
As we approach Australia's July 2019 deadline for a "brave new world of open data" – a term coined at the recent ARCA National Conference – we cannot view privacy and security as an add-on, or something we 'have to do.'
The data landscape is evolving with increasing complexity as consumers take information ownership back into their own hands, and the sector is only as strong as its weakest link. We need to not only be worrying about securing our own backyards, but also those of whom we're sharing data with, and work together on industry-wide security solutions if the open data revolution is to be pitfall-free.
Security is the foundation of all innovation
Amidst regulatory changes, economic pressures and changing consumer preferences, we as businesses have better insights to work with, more commercial opportunities and increased customer engagement. But we are also challenged with continuously maintaining a competitive edge, bringing relevant products to market and finding solutions.
It's clear that innovation is vital – but without a robust security program in place, commercial risk is high, consumer confidence is low, consumer advocacy is absent and open data participation diminishes. Robust protocols, consumer ID validation, appropriate oversight, governance, reporting and monitoring give businesses the confidence and agility needed to drive innovation.
Think about it as a well-built house: The walls, windows and gates are like malware protection – structures that make the environment as hard as possible for the bad guys to break into. An alarm system acts as a backup to alert you if the bad guys manage to get in – for example, if traffic to your application hits levels that trigger alarms. And encryption is like the home's safe – if the intruders do manage to get the data, they can't do anything with it, and digital loss prevention picks up on people sending documents they shouldn't or personal information leaving that shouldn't.
If the house is secure, life can progress as normal, without constant fear and interruption from external threats.
Why consumer trust is imperative
As with any major industry change, we're on a steep adoption curve with open data that starts at hype and ends at broad-based adoption. But that trajectory will stagnate if we don't ensure that consumers are on board with understanding the new landscape, and following the related security protocol.
We want consumers to be able to control their finances with smarter management tools in a secure way. We want mortgage providers to better understand a consumer's affordability for an application, or a property company to qualify an individual's income and rental history to better assess their eligibility to rent a property in a secure manner.
But we can't get what we want without everyone being on the same page. Losing customer trust equates to halting innovation – it won't matter how robust and appropriate the security framework is if no one knows or wants to use it.
As the UK's Tony Blair once said, it's all about 'education, education, education'.
Getting the population (securely) on board
While there is some conceptual understanding amongst consumers, there is a real sense of consumer fear around ownership and security regarding open data.
Research we undertook earlier this year across APAC revealed two thirds of consumers are comfortable with sharing basic personal data, however for highly guarded data and demographic information, their willingness radically decreases.
Interestingly, people are most comfortable sharing basic personal data with retailers. On the other hand, consumer trust in banks is underwhelming, even though there are fewer recorded breaches within banks than retailers. Retailers have been victim to some of the biggest breaches, such as Target's breach which affected 41 million customer payment-card accounts and revealed contact information of more than 60 million customers.
But a large proportion of consumers are not clued up on data sharing. In fact, a fifth of consumers in the UK are oblivious to the way in which companies wish to use their data, often accepting it without really understanding the reason, the next step or the benefits.
If our local understanding of data use is not nurtured, people may feel cheated if their perception of the value-exchange is not positive, or will not be willing to participate in open data initiatives, significantly reducing the potential success of systems such as Open Banking.
Beyond the software: Evolving skills to support security
Among my peers, I am noticing that when organisations approach their boards and risk committees these days, the conversations are increasingly focused on data assets and data breaches. Risk is no longer the responsibility of Risk Officers alone – we are all accountable.
We need to be bringing people in and upskilling people across the business to understand cyber security and more complex data risks in the face of such influential change. Businesses can complement existing traditional risk functions by acquiring talent and knowledge around data security and hiring the skills to implement and manage the robust security programs we so actively endorse.
After all, without attracting the right people on the ground to carry it out, the advanced software and systems in place won't reach their full potential.
Global Chief Information Officer
T 61 2 8907 7200
December 2018 - BSBWOR204 Use business technology - Certificate III in Mercantile Agents and FNSINC401 - Apply principles of professional practice to work in the financial services industry - FNS40120 Certificate IV in Credit Management and FNS51520 Diploma of Credit Management