Australian businesses support data retention but nervous about cybercrime and cost implications
Announcement posted by Protiviti 16 Sep 2014
Australian businesses support data retention but nervous about cybercrime and cost implications
15 September 2014
As the Federal Government poises to toughen laws to crack down on terrorist threats on home soil, a new survey has found that Australian corporates generally support the government’s data retention proposals, but insist on strict safeguards to protect against the heightened privacy and cyber-crime risks, while harbouring deep concerns about the measure’s ‘knock-on’ costs for the business community.
A survey of managers and executives from organisations in the listed, private and government sectors conducted by global risk consulting firm, Protiviti, has revealed that 64 per cent of respondents support the government’s push to require telecommunications and internet companies to retain customer communications data for national security purposes for up to two years.
However, 78 per cent say this is strictly on the proviso that authorities have a Court-issued warrant to access the data – a restriction that does not currently apply to law enforcement agencies. In the event the government proposes to allow security authorities warrant-less access to such information, a majority of respondents said this should be limited only to high risk national security investigations such as terrorism cases (88 per cent) or to serious crimes involving physical or community harm such as murder or paedophilia (66 per cent).
“The business community appreciates that national security risks are a legitimate focus for the government at present. However they also feel that retaining customer ‘metadata’ can amount to a significant privacy incursion as it can reveal a great deal about a person’s movements, relationships and day to day lives. Ultimately, they believe that the best way to balance these opposing and competing interests is to ensure law enforcement and intelligence agencies receive Court authorisation through a warrant, before they can access the information,” said Mr Mark Harrison, managing director of Protiviti.
The survey also found that 62 per cent of respondents believed the proposed data retention scheme would lead to greater data security risks in the form of more targeted hacking and cybercrime activity as telcos and ISPs become obliged to store larger volumes of personal data for longer periods. In fact, the risks are perceived to be so great, that 87 per cent of respondents considered that those companies should have to apply specific security standards to the information held.
“There’s no doubt companies are in a difficult situation with government policies appearing to be sending out mixed messages. On the one hand, the new Privacy Act which came into effect in March this year urges organisations to retain as little personal information as possible for as short a time as is necessary, to protect community privacy. Yet on the other hand, the data retention proposals are pushing for large volumes of data to be kept for up to two years. Many companies are concerned that the vast stores of information created by these measures will act as a ‘honeypot’ for cybercriminals on the hunt for easy targets.
“In fact, as many as 22 per cent of respondents said that if the measures come in, their organisation may re-think its approach to using telcos and ISPs in order to protect business data. That could involve implementing further communication security measures such as moving to default email addresses or encryption,” Mr Harrison said.
In the course of the debate over these proposals, several telecommunications and internet companies have highlighted that the measures are likely to push up their data infrastructure and storage costs significantly. 61 per cent of survey respondents indicated that telcos and ISPs should be entitled to pass on those costs to users. However, 47 per cent said that as business users, they would not be happy about having to pay the higher ISP and communications charges, as against 42 per cent who said they would accept the charges as the price for improving national security.
Importantly, 32 per cent of respondents said they expected the data retention measures to result in increased costs for their own organisations, not just in the form of higher telecommunications and ISP charges, but also as compliance costs, increased data security costs and the costs of implementing ‘knock-on’ business process changes. And while 41 per cent reported that they, in turn, would pass on those costs to stakeholders, 32 per cent disagreed, saying the additional costs would be absorbed into their budgets.
“The direct and flow-on costs of these measures will ripple throughout the business community. And while there is acceptance from some quarters that the costs are justified in the interests of national security, the government may wish to canvass less costly policy options or alternative funding mechanisms for companies directly affected by the measures”, Mr Harrison said.
Notes to the editor
Other key findings from the survey:
-ENDS-
For further information contact Su Lin Ho at CallidusPR on 02 9262 9295 or 0421 616 617
About Protiviti
Protiviti (http://www.protiviti.com.au/) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
About the Protiviti National Security vs Privacy Survey
The Protiviti National Security vs Privacy Survey surveyed managers and executives in predominantly risk, finance and IT roles, across the listed, government, private and NFP sectors. The survey received responses from 40 organisations.
15 September 2014
As the Federal Government poises to toughen laws to crack down on terrorist threats on home soil, a new survey has found that Australian corporates generally support the government’s data retention proposals, but insist on strict safeguards to protect against the heightened privacy and cyber-crime risks, while harbouring deep concerns about the measure’s ‘knock-on’ costs for the business community.
A survey of managers and executives from organisations in the listed, private and government sectors conducted by global risk consulting firm, Protiviti, has revealed that 64 per cent of respondents support the government’s push to require telecommunications and internet companies to retain customer communications data for national security purposes for up to two years.
However, 78 per cent say this is strictly on the proviso that authorities have a Court-issued warrant to access the data – a restriction that does not currently apply to law enforcement agencies. In the event the government proposes to allow security authorities warrant-less access to such information, a majority of respondents said this should be limited only to high risk national security investigations such as terrorism cases (88 per cent) or to serious crimes involving physical or community harm such as murder or paedophilia (66 per cent).
“The business community appreciates that national security risks are a legitimate focus for the government at present. However they also feel that retaining customer ‘metadata’ can amount to a significant privacy incursion as it can reveal a great deal about a person’s movements, relationships and day to day lives. Ultimately, they believe that the best way to balance these opposing and competing interests is to ensure law enforcement and intelligence agencies receive Court authorisation through a warrant, before they can access the information,” said Mr Mark Harrison, managing director of Protiviti.
The survey also found that 62 per cent of respondents believed the proposed data retention scheme would lead to greater data security risks in the form of more targeted hacking and cybercrime activity as telcos and ISPs become obliged to store larger volumes of personal data for longer periods. In fact, the risks are perceived to be so great, that 87 per cent of respondents considered that those companies should have to apply specific security standards to the information held.
“There’s no doubt companies are in a difficult situation with government policies appearing to be sending out mixed messages. On the one hand, the new Privacy Act which came into effect in March this year urges organisations to retain as little personal information as possible for as short a time as is necessary, to protect community privacy. Yet on the other hand, the data retention proposals are pushing for large volumes of data to be kept for up to two years. Many companies are concerned that the vast stores of information created by these measures will act as a ‘honeypot’ for cybercriminals on the hunt for easy targets.
“In fact, as many as 22 per cent of respondents said that if the measures come in, their organisation may re-think its approach to using telcos and ISPs in order to protect business data. That could involve implementing further communication security measures such as moving to default email addresses or encryption,” Mr Harrison said.
In the course of the debate over these proposals, several telecommunications and internet companies have highlighted that the measures are likely to push up their data infrastructure and storage costs significantly. 61 per cent of survey respondents indicated that telcos and ISPs should be entitled to pass on those costs to users. However, 47 per cent said that as business users, they would not be happy about having to pay the higher ISP and communications charges, as against 42 per cent who said they would accept the charges as the price for improving national security.
Importantly, 32 per cent of respondents said they expected the data retention measures to result in increased costs for their own organisations, not just in the form of higher telecommunications and ISP charges, but also as compliance costs, increased data security costs and the costs of implementing ‘knock-on’ business process changes. And while 41 per cent reported that they, in turn, would pass on those costs to stakeholders, 32 per cent disagreed, saying the additional costs would be absorbed into their budgets.
“The direct and flow-on costs of these measures will ripple throughout the business community. And while there is acceptance from some quarters that the costs are justified in the interests of national security, the government may wish to canvass less costly policy options or alternative funding mechanisms for companies directly affected by the measures”, Mr Harrison said.
Notes to the editor
Other key findings from the survey:
- 89 per cent of respondents said it should be mandatory for all companies and government organisations which collect and store personal information to notify the public and affected stakeholders where they have experienced a data security breach resulting in the exposure of personal data.
- 69 per cent agreed that telecommunications companies and 61 per cent agreed that ISPs should be subject to the proposed data retention measures. Only 36 per cent said the measures should also apply to social media platforms such as Facebook, Twitter and Google. But 47 per cent said the laws should also be extended to require financial institutions to retain customer data.
-ENDS-
For further information contact Su Lin Ho at CallidusPR on 02 9262 9295 or 0421 616 617
About Protiviti
Protiviti (http://www.protiviti.com.au/) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
About the Protiviti National Security vs Privacy Survey
The Protiviti National Security vs Privacy Survey surveyed managers and executives in predominantly risk, finance and IT roles, across the listed, government, private and NFP sectors. The survey received responses from 40 organisations.