Australian businesses harbour deep concerns about the knock-on costs of the Federal Government's data retention proposals as it seeks toughen laws to crack down on terrorist threats.
That's according to a new survey which has found that Australian corporates generally support the government’s data retention proposals, but insist on strict safeguards to protect against the heightened privacy and cyber-crime risks.
The survey of managers and executives from organisations in the listed, private and government sectors conducted by global risk consulting firm, Protiviti, has revealed that 64 per cent of respondents support the government’s push to require telecommunications and internet companies to retain customer communications data for national security purposes for up to two years.
However, 78 per cent say this is strictly on the proviso that authorities have a Court-issued warrant to access the data – a restriction that does not currently apply to law enforcement agencies.
In the event the government proposes to allow security authorities warrant-less access to such information, a majority of respondents said this should be limited only to high risk national security investigations such as terrorism cases (88 per cent) or to serious crimes involving physical or community harm such as murder or paedophilia (66 per cent).
Protiviti managing director, Mark Harrison, said the business community appreciated that national security risks were a legitimate focus for the government at present.
"However they also feel that retaining customer ‘metadata’ can amount to a significant privacy incursion as it can reveal a great deal about a person’s movements, relationships and day to day lives," he said.
"Ultimately, they believe that the best way to balance these opposing and competing interests is to ensure law enforcement and intelligence agencies receive Court authorisation through a warrant, before they can access the information,” said Mr Mark Harrison, managing director of Protiviti.
The survey also found that 62 per cent of respondents believed the proposed data retention scheme would lead to greater data security risks in the form of more targeted hacking and cybercrime activity as telcos and ISPs become obliged to store larger volumes of personal data for longer periods.
In fact, the risks are perceived to be so great, that 87 per cent of respondents considered that those companies should have to apply specific security standards to the information held.
Harrison said there was no doubt companies were in a difficult situation with government policies appearing to be sending out mixed messages.
"On the one hand, the new Privacy Act which came into effect in March this year urges organisations to retain as little personal information as possible for as short a time as is necessary, to protect community privacy," he said.
"Yet on the other hand, the data retention proposals are pushing for large volumes of data to be kept for up to two years. Many companies are concerned that the vast stores of information created by these measures will act as a ‘honeypot’ for cybercriminals on the hunt for easy targets.
“In fact, as many as 22 per cent of respondents said that if the measures come in, their organisation may re-think its approach to using telcos and ISPs in order to protect business data.
"That could involve implementing further communication security measures such as moving to default email addresses or encryption,” Mr Harrison said.
Several telecommunications and internet companies have highlighted that the measures are likely to push up their data infrastructure and storage costs significantly.
The survey found that 61 per cent of survey respondents indicated that telcos and ISPs should be entitled to pass on those costs to users.
However, 47 per cent said that as business users, they would not be happy about having to pay the higher ISP and communications charges, as against 42 per cent who said they would accept the charges as the price for improving national security.
Importantly, 32 per cent of respondents said they expected the data retention measures to result in increased costs for their own organisations, not just in the form of higher telecommunications and ISP charges, but also as compliance costs, increased data security costs and the costs of implementing ‘knock-on’ business process changes.
And while 41 per cent reported that they, in turn, would pass on those costs to stakeholders, 32 per cent disagreed, saying the additional costs would be absorbed into their budgets.
Harrison said the direct and flow-on costs of these measures would ripple throughout the business community.
"And while there is acceptance from some quarters that the costs are justified in the interests of national security, the government may wish to canvass less costly policy options or alternative funding mechanisms for companies directly affected by the measures," he said.
The survey also found 89 per cent of respondents said it should be mandatory for all companies and government organisations which collect and store personal information to notify the public and affected stakeholders where they have experienced a data security breach resulting in the exposure of personal data.