Data security and the role of actuaries

Recent data breaches in the news have made me reflect on what information about me is being held by different organisations. Yes, I’ve been complicit in handing over personal data and letting some of it accumulate in the ether because I’d like to access services or get a free smoothie, but increasingly I’m conscious of the potential significance of my apathy.

This led me to consider whether there is a role actuaries can and should play in this area given our profession’s intrinsic reliance on data.

The Risks of Personal Data 

Recent public examples have highlighted the attractiveness and value of personal data being obtained for untoward purposes by external parties that had not sought permission to have such data. This has cast a spotlight on the security of personal data that Australian consumers have provided to a range of commercial organisations. Indeed, the last quarter of 2022 has been filled with media stories of security breaches and data being obtained by cyber fiends often seeking ransom or some other benefit from such data. The range of industries impacted is diverse, including the telco, insurance and pharmaceutical sectors, to name but a few.

Cybercriminals who steal data can make lucrative gains either by holding to ransom the companies entrusted with data, targeting the individuals impacted or selling the information to others that may have use for it. In the sectors in which Actuaries often work – predominantly financial services companies – the information collected, used, and stored is fundamental to their ability to do business but is personal and sensitive in nature and may have a serious effect on individuals if disclosed.  

Even data related to the initial identification process is sensitive. Information collected could include the name, date of birth, gender, address and contact details. Information from identity documents such as driver’s licences, Medicare, ATO numbers and passport/visa information may be collected too. Some insurers also hold billing information (like credit card and bank account details), employer information, claims information, health history and past treatments.

Naturally, such information could cause personal financial loss and emotional harm if exposed and combined. Every additional piece of information increases the chance that someone else can impersonate or steal that person’s identity.

How has Australia responded to risks?

It’s not like companies, governments, and regulators are oblivious to the rise of cybercrime. Or even the proliferation of the collection of personal data and the risks.

The prudential regulator, APRA mandates organisations in the financial and insurance sectors to have measures to be resilient against security incidents, maintain information security capability commensurate with the size and extent of threats, and have controls to protect information assets from threats of cyber-attacks. This is via CPS 234 (Information Security Standard), which came into effect on 1 July 2019. Notably, CPS 234 makes it clear that the Board is ultimately responsible for information security.

More generally, businesses (or those defined as Australian Privacy Principles entities) have legal obligations to keep personal information secret under Australian privacy law, take steps to protect the personal information collected from being illegally disclosed or stolen and destroy information no longer needed.

Obligations are stricter for sensitive information because of the potential severity of disclosure e.g., a person may suffer discrimination, mistreatment, humiliation or embarrassment.

Until recently^[2], the financial penalties under the Privacy Act 1988 was a maximum of $2.22 million, but the Federal Government tabled legislation in October 2022 and subsequently passed in November 2022^[3]to significantly increase penalties for repeated or serious privacy breaches, whichever is the greater of:

• $50 million;
• Three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The Privacy Act by the Attorney-General’s Department is under review, with recommendations expected for further reform.

What insights has this provided around data security?

The reasons for data breaches can vary and once information is hacked, it’s very difficult to guarantee that the data is later deleted, and information secured.

Recent events have also shown that hacks are not only the purview of the company and their customers – the broader community, including the government – may ultimately be involved in the subsequent recovery process. It can challenge society’s perception of the safety of its information and this then becomes a larger issue.

One societal aspect being actively discussed is the consideration of alternative methods of validating personal identity, with the government potentially having a greater role. Is the public more willing to trust the government, and will they be more open to a national identification system than in the past? The Access Card (proposed in 2005) and Australia Card (proposed in 1985) were both abandoned previously, with privacy one concern. This January, Government Services Minister, Bill Shorten, touted a transformation of the MyGov app to allow Australian to verify their identity by having driver’s licence, passport details, Medicare details and voting information all stored in a ‘Government Wallet.’ ^[4]

And in reality, the data evolution is well beyond being able to be rolled back so, it is not a question of not providing any information. It is a question however of how this can be trusted to be used for the benefit of the customer providing it (such as is envisaged under the Consumer Data Right legislation^[5]).   

Over the past 15 years, technology related to data transfer and storage has rapidly grown. Many more companies can collect information on their customers, and consumers leave increasingly large data footprints. As a consequence, companies have the responsibility (and need to ensure they have the ability) to get a handle on their data footprint and full visibility of the environment.

The focus must be on ensuring data provided is secure and fit for the purpose needed by the organisation requesting it especially, when it may involve personal and sensitive information.

Customers will likely expect that the companies they provide their information to will:

• Understand what types of data are stored and sent.
• Understand what third parties are involved in the process
• Classify each data type and define what data is necessary to collect.
• Clarify where it is stored.
• Identify who has access to the data and who should have access.
• Identify what it will be used for.
• Be clear on how data is shared with other organisations and vice versa.
• Have a plan on what and when data is destroyed.

This is not a trivial task. The data governance and infrastructure need to be adaptable to a forever-changing future environment.

For those companies that Actuaries traditionally work for – such as insurers – this can pose particular challenges. For instance, an insurer providing life or ongoing health-related benefits and services will likely need to know certain personal information about the insured in order to appropriately tailor the claims management process or benefit services to that individual. This would be far less effective without detailed information related to the policyholder including the various health history of the individual.

Ideally, data collected and held by companies should collectively benefit the customer while keeping the fidelity of those from which it has been sourced and entrusted. Data retention needs strong governance, a clear purpose and good use of technology. Holding data that can be linked back to an individual can be a risk and so it needs to be used for its intended purpose and held for a period appropriate to that. Importantly, where possible, it should be anonymised.

Technology exists to work securely and smartly with data, but it still requires a supportive governance framework, which includes the buy-in of employees to protect data. For example, technology exists for:

• Encryption of data, both at rest and in transit (databases, files, documents, messages, and other communication channels over their network).
• Deidentifying data.
• Sharing data and using it while not disclosing the information that identifies the individual.
• Curation of data, including regular purging and managing what data to purge.

With increased data accumulation and cybercrime, combined with the advancement in computing power and techniques, putting these structures in place and leveraging advancing technologies is a must. 

What now for actuaries and what implications for the future?

The general public is now attuned to the ramifications of unintended access to sensitive personal information. For the individuals involved, it can be traumatic and distressing, and for the companies affected by breaches, the tangible and intangible losses may be considerable.

Regulators will increase surveillance activity, and with legislation substantially increasing the financial penalties, companies will need to reconsider their data risk thresholds and CEOs and Boards will likely be making different decisions about how they invest and where.

As Actuaries, our roles could be:

•  To continue to champion the use of data but also be at the forefront of conversations on the use and protection of it.
• Be across the advancing technologies available to securely work with sensitive data.
• Be vigilant about the necessity of data being collected.
• Work with companies to understand and quantify the operational risk impacts
• Ponder further and develop useful insurance solutions (e.g. cyber insurance) to assist companies in whichever phase they are in protecting data.

Note: This article has been written in my private capacity and opinions expressed do not necessarily reflect those of my employer.

References 

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.