Compliance and corporate governance

“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” Optus CEO Kelly Bayer Rosmarin said of an incident that compromised data of up to 10 million people including their home addresses, drivers’ licenses and passport numbers.

A month later it was the turn of health insurer Medibank, which confirmed the data of every one of its 3.9 million customers² had been exposed to a hacker.

As the negative headlines grew and share prices fell, countless senior executives no doubt felt a shiver run down their spines as they imagined a scenario in which their own organisations suffered such a breach. In the modern environment of data centres and cloud storage, strong compliance and corporate governance measures have never been more important but the reality is many business leaders are struggling to handle the policies and procedures needed in the new world.

Throw in the complexity of partnering with outsourcing providers and relying on the data privacy compliance frameworks of third-party operators and there are even more questions to be asked. Are they compliant with Australian data security laws? Do they take additional measures to protect our customers’ privacy? Where do they even host our data?

And the most important question of all – what can our organisation do to avoid becoming the next Optus or Medibank?

The overhaul of cybersecurity laws in Australia: implications of non-compliance

In response to the growing threat of cyber attacks, the Australian government is currently undertaking a significant overhaul of its cyber security laws. The changes are aimed at strengthening the country's cyber security posture and making it easier for companies to protect themselves from cyber-attacks. The new laws will require companies to report cyber incidents to the government and will provide the Australian Cyber Security Centre with greater powers to respond to threats. The legislation will also require companies to implement appropriate security measures to protect their data and systems. These measures include mandatory data breach notification requirements, stronger privacy protections and increased penalties for non-compliance.

The legal implications of non-compliance with Australia's cyber security laws are significant. Companies that fail to comply with the new legislation could face fines, legal action and damage to their reputation. They may also be held liable for any damages resulting from a cyber attack, including loss of data, reputational damage and financial losses. The impact of a cyber attack can be devastating, not only for the company but also for its customers, suppliers and partners. In addition to financial losses, the company may suffer irreparable harm to its reputation, resulting in loss of business and customers. It is essential that companies take cyber security seriously and ensure that they are complying with all applicable laws and regulations.

Know your partners – and their partners

While outsourcing is a tried and tested way to reduce costs, increase efficiencies and boost productivity, it is essential that companies make every effort to mitigate risks associated with data storage. Whether working with an onshore or offshore provider, ask where your data is going to be hosted, confirm they are compliant with all industry regulations and investigate the penetration testing they have in place to ensure its security. Also, remember that your outsourcing provider may also partner with third parties and insist that every organisation in the ecosystem you have built for yourself adheres to the values you and your customers hold dear.

Commit to high ESG standards

If you are yet to familiarise yourself with ESG, it is time to get on board. An acronym for Environmental, Social and Governance, it refers to a set of non-financial factors that investors are increasingly using to identify risks and growth opportunities. Just as today’s customers are showing a willingness to pay a premium for services they consider sustainable and inclusive, they will be quick to walk away from organisations that fail to adhere to the highest of ESG standards. This flows to customer expectations about data security and privacy, which is why it is not only crucial to partner with compliant outsourcing partners but to communicate that commitment to your customers.

Use a centralised source to verify digital identity

As the world increasingly chooses digital transactions over the physical kind, businesses have had to build digital identity systems to support their employees and customers. Instead of every organisation collecting Personally Identifiable Information (PII), consider joining the trend towards verifying digital identities via a centralised digital source. While still in its infancy in Australia, the system is working well in other jurisdictions and increasing the protection of PII data by reducing the need for multiple copies of it to be across different organisations.

Consider hybrid data storage

Data security is too important to get wrong. A company can deliver the best customer experience the industry has witnessed, but a series of headlines such as those endured by Optus and Medibank can set goodwill back years. For this reason, you can expect a big shift toward hybrid storage models in the coming year. While outsourcing providers deliver an essential service, an increasing number of executives want control over where their data is hosted, and that lends itself towards a situation where a service may be provided by a third party but data is stored in a cloud owned by the customer. That way the latter has greater control over compliance, governance, and protecting its reputation.

Be stringent at audit time

The days of annual ‘tick-and-flick’ audits are over. The outsourcing providers that shine will be those that are ready to throw open their doors to their customers for detailed audits of their governance frameworks. It is one thing for a third party to say it is going the extra mile to stay ahead of an industry’s compliance requirements. It is another to pass a forensic test that shows they are doing so. Similarly, companies need to work with their outsourcing providers to ensure they are on the same page when it comes to compliance. It is not enough to simply hand over dozens of policy and procedure documents and demand compliance. Rather, adopt a collaborative approach that defines the intent of such documents and how it needs to be applied.

The spotlight on Australian data security laws has rarely burned brighter, which is no surprise given the scale of the Optus and Medibank breaches. Every day customers are increasingly mindful of the security credentials of the companies they choose to share their personal details with and, amid such heightened awareness, the onus is on organisations to ensure they are taking every step to ensure both they and their outsourcing partners are deserving of their trust.

With the pandemic having forced contact centres to embrace the hybrid workplace, those yet to do so risk being stranded as competitors fine-tune their models. Explore the benefits of the hybrid concept for both agents and managers and discover the key steps needed to ensure long-term success.

Reference:
1 https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack
2 https://www.theguardian.com/technology/2022/oct/26/medibank-confirms-all-39-million-customers-had-data-accessed-in-hack