Rethinking Data Retention: More Challenging Than Anticipated

The Australian government’s review of data retention obligations on companies has proven to be far more complex than anticipated, with issues of scope and ambiguous legal language slowing progress. Peter Anstee, the first assistant secretary of cyber and technology security policy at Home Affairs, emphasized these challenges during his address at the AISA Melbourne CyberCon. He explained that the intricate nature of identifying and reconciling conflicting data retention mandates is creating significant hurdles in advancing legislative reform. The review gained urgency following the highly publicized Optus data breach, which brought attention to the risks of companies retaining customer data for longer than necessary, highlighting the need for clearer, streamlined data retention policies.

The review is a core component of the federal cybersecurity strategy, where one of the key priorities is to evaluate and potentially reconcile the myriad data retention requirements across industries. Anstee outlined the government’s phased approach to this effort, starting with a comprehensive review of the Commonwealth’s statute books to determine the exact nature of data retention obligations placed on businesses. However, this task is more difficult than it seems. “It’s taking us a little bit of time to understand all the data retention obligations that we have on companies,” Anstee admitted, underscoring the scale and complexity of the undertaking. He also noted that the review involves assessing whether it is possible to consolidate or rationalize these obligations without undermining the specific needs of certain sectors, such as healthcare and financial services, which often have unique data retention requirements for valid regulatory or operational reasons.

A key challenge in the review process is the lack of clarity in existing laws. Anstee explained that many of these laws are vaguely worded, simply requiring companies to “hold onto data” without specifying what data needs to be retained or providing clear guidelines on how it should be stored or managed. He pointed out that many of these data retention laws were written long before the digital age and are therefore outdated. Modernizing these regulations to reflect current digital storage capabilities and security requirements is a critical component of the government’s review. “There’s probably an uplift piece we need to do as well,” Anstee remarked, referring to the need to update and align the laws with present-day technological realities.

Beyond data retention, Anstee also addressed the growing concern over digital resilience, citing a recent incident involving cybersecurity company CrowdStrike as a pivotal learning moment. A software update from CrowdStrike inadvertently caused widespread disruptions by “bricking” Windows machines, an event that highlighted the fragility of digital supply chains. Anstee described the incident as a near-miss, warning that a similar event on a larger scale could have catastrophic consequences. “What would it have looked like if it impacted not one percent of Microsoft-affected devices but 10 percent?” he asked, suggesting that the implications of such disruptions must be carefully considered. The government is now working closely with industry partners to develop a systems-level understanding of Australia’s digital supply chains to mitigate such risks.

Anstee explained that the Security of Critical Infrastructure Act (SOCI) has been instrumental in shedding light on the interconnected nature of critical infrastructure supply chains, but gaps remain. The government is particularly concerned about the lack of visibility into global supply chain dependencies, especially the connections between critical sectors such as energy, healthcare, and education. By mapping these interdependencies and conducting regular stress tests, the government aims to build a more resilient digital infrastructure that can withstand potential disruptions, whether caused by human error or malicious cyberattacks.

The recent passage of Australia’s first dedicated cybersecurity bill was another focal point of Anstee’s remarks at CyberCon. He described the legislation as a “foundational piece” that provides a flexible framework for future cybersecurity reforms. One of the bill’s key provisions mandates that companies disclose any ransom payments made to cybercriminals. Anstee stressed that this requirement is intended primarily as a data collection exercise to enhance the government’s understanding of the ransomware threat landscape, rather than as a punitive measure. “We’re not looking to punish companies that report making a payment,” he said, emphasizing that the primary goal is to encourage transparency and data sharing to strengthen the country’s cybersecurity posture.

However, companies that fail to disclose ransom payments could face fines, though Anstee indicated that this would be a last resort. He explained that the government’s approach to enforcement would focus on engagement and collaboration, with fines only being imposed if companies consistently fail to comply. “It’s always good to start with voluntary measures and gradually increase enforcement if non-compliance persists,” Anstee noted, reinforcing the government’s preference for cooperation over coercion.

In summary, Anstee’s presentation highlighted the complexity and urgency of reforming Australia’s data retention and cybersecurity frameworks. The government’s methodical approach, which includes a thorough review of existing legislation, increased focus on digital resilience, and a flexible legislative framework, reflects its commitment to ensuring that Australia remains prepared to address evolving cyber threats while balancing industry needs and regulatory requirements.