CFOtech New Zealand logo
Technology news for Kiwi CFOs and financial decision-makers
Partner content
Story image

Why how you store data could make or break your business

By Jessie Chiang
Mon 30 May 2022

It began with an old website that was no longer being used and ended with AA Traveller emailing hundreds of thousands of customers, telling them their personal information was in the hands of hackers.

The reason?

Setting aside the fact that cybercriminals are ultimately to blame, the AA never deleted the data on the decommissioned website. This allowed hackers to take the names, addresses, contact details and expired credit card numbers of customers who used the website between 2003 and 2018. In particular, there was a 2010 online survey that nearly 30,000 people responded to. The AA said those surveyed were at risk of being hacked by an overseas account. 

On top of that, the breach itself happened in August last year. AA Traveller only found out this March. It made a public apology, acknowledged customers should have had their data protected and said it was "incredibly sorry".

But it's something Auckland-based IT services provider Vertech says could have been completely avoided. The company's founder and CEO, Daniel Watson, thought the AA would have had that data better secured than it did.

"[The survey] was 12 years old," he says. "Why were you still keeping it?"

Knowledge is power

The acting Privacy Commissioner Liz MacPherson says as the world continues to morph into a digital economy, data becomes more and more important.

For example, the more you know about a person, the more you can personalise services or products for them, increasing the chance they'll like it and, as a result, keep them coming back. MacPherson says personal information is being collected every day. According to the Privacy Act, the commissioner says personal information is "any information about an identifiable living human being, so anything that can tell us about a specific individual."

"There are all sorts of different things if you use that definition that are picked up as personal information - names, contact details, financial health records, purchase records, client details, client records, correspondence, employee records," she says.

So just how much information does the average organisation hold about us?

Vertech's senior systems engineer Peter Drum specialises in data and data governance and explains that it's complicated.

It depends on a whole range of factors, including the:

  • Length of time the business has been running
  • Scale of the business and the nature of the work they do
  • Data retention of the business, this can be affected by things like legal requirements and whether acquired companies have different metrics for retaining data

"There's not sort of one guiding figure that you might say for every three staff you have 200 gigabytes of data or something nice and simple like that," says Drum.

Watson says anecdotally, clients seeking him out know they have issues, but they're not sure what they are.

"Very few companies come to us and say 'hey say check us out' and we have a look and we say 'oh nothing to do here, you're good'. Essentially, from our perspective, it's a vast market but at the same time that's quite worrying. We've all become digital packrats."

Drum says that's because the storage of data itself has changed. There's simply no limitation on how much you can store because companies don't need vast rooms for physical records.

"You can keep huge amounts of data, the limitation is not cost anymore, the limitation is really do you need it?" he says.

"That can be a hard decision or a low priority decision because there are other concerns that business owners have."

But choosing to delay dealing with data storage can come back to haunt companies. The AA example is the most recent warning but surely won't be the last.

Under the Privacy Act, agencies must take reasonable steps to avoid security breaches and protect customer data privacy.

MacPherson explains what the threshold is. "Its a case by case situation," she says.

"[But] we would be expecting agencies to understand the nature of their data, the nature of their data flows and to have put in place reasonable protections externally, making sure if you use software that it's patched regularly, passwords, authentication, making sure usb sticks are encrypted, all those sorts of things."

Breaking the law

Under the Privacy Act, there are two avenues for the Privacy Commission to investigate a company around breaches. First, an individual can make a complaint if they feel a business has breached their privacy or if the company refuses to give them the personal information they hold on that person.

"We look at, first of all, has there been a breach of their privacy and secondly whether there's been harm caused," says MacPherson.

"If we find that there has been interference in someone's privacy we can recommend financial compensation. We don't actually issue fines [ourselves], but if a privacy complaint then goes onto the human rights review tribunal, an agency can be liable for damages up to $350,000 per privacy complaint." 

The second way the Privacy Commission can investigate a company is through a new power under the Privacy Act 2020. The Privacy Commission can take proactive action where it believes there are systemic issues or failures regarding privacy breaches. After the initial investigation, MacPherson says they try to educate the organisation.

"Often that's really successful," she says.

"People go 'oh gosh I never realised that this was what I was supposed to do' and they put it right. Sometimes we have to give people warning letters which effectively say, if you don't put this right then we're potentially going to follow up with a compliant notice or we could take compliance action."

MacPherson says there are multiple different points where companies can turn things around without being taken to court.

"Prosecutions take a long time so our aim is to actually get the behaviour shifts early and we think it's in the best interest of agencies to change their behaviour," she says.

However, if it does land in court, the maximum penalty for a criminal offence, such as failing to comply with a compliant notice, is $10,000.

Since December 2020, there's also a mandatory requirement for businesses to disclose serious harm privacy breaches within 72 hours of becoming aware of it. But MacPherson says the legal implications aren't the only consequences companies should consider.

"The biggest issues for a company is actually the reputational damage that comes from having a breach, be it an internal or an external breach. The reputational damage is the thing that will stay with the company and it can mean the customers lose confidence," she says.

"Trust is something that takes a long time to build and it's very easy to lose."

How do you keep data and yourself safe?

The Privacy Commissioner says before even thinking about cybersecurity measures, companies should only collect the data they actually need. Then they should think about a retention schedule, which sets out how long the data will be kept for. MacPherson says this rule of thumb can be applied to something as simple as being a landlord and collecting information about applicants.

"If you were applying to see a flat…you might send in an application form," she says.

"If you didn't become the preferred tenant then your application form should be deleted at that point, none of that information should be stored."

MacPherson says companies that want to continue collecting data have to maintain trust and confidence by only collecting what they need, making it clear what it is they are using it for, only use it for that purpose, keep it safe and secure and then delete it when they no longer need it.

Vertech says the most common issues companies have when it comes to data are that they don't know what they have or where it is, there's overly permissive access to information, and they hold a sunk cost fallacy.

1. What do we have and where is it again?

Watson says businesses might not have narrowed everything down about their data and where it's stored. He says multiple departments might be collecting data on their clients and storing them in different locations with different methods.

"Are they encrypted, are they secured from inappropriate access or unauthorised alteration, are they even backed up?" he says.

"The worst thing that might happen for a company's data is not that somebody else gets access to it and steals it, it's that it's lost. So is it stored in a way that actually protects it from accidents?"

"I've heard from security staff who have been dealing with large businesses that have been using free marketing tools and uploaded their client list into it, not realising that when you use the free version…your client list might be being shared by third parties."

2. Overly permissive access

Watson urges companies only to give employees access to what they need to do their job and says he learnt this the hard way. When Vertech was smaller, he hired from family and friends, but once it started growing, Watson had to hire outside of that circle.

"Somebody else came into the businesses, we gave them that trust, they had all sorts of access that we realistically should never have ever given them and they abused it," he says.

"So it's all good right up until it isn't. It's easy to make things work, a lot of it is just get it working. But securing it after the fact is harder than baking it in in the beginning."

The Privacy Commissioner says many agencies think only about external security risks instead of data breaches from within the organisation. She says the leading cause of data breaches is actually still human error, though there has been an increase in malicious attacks. MacPherson says human error doesn't necessarily mean someone has intentionally abused their access to information; it could mean sending the wrong email to somebody etc.

"Usually what happens is that the agencies concerned say to us, [it was a] 'human error' and when they say human error what they effectively are saying is it was an accident," she says.

"But actually most of these human errors could be avoided."

And one way to avoid it is to limit the access employees have to the data.

"You don't want to have open access to personal information and you also need to think about the audbility of your access provisions as well, so you need to able to see who's been  into a particular file," says MacPherson.

3. Sunk cost fallacy

Drum warns companies not to get stuck in the mindset that it will be too hard to change anything now or that people don't abuse their access anyway.

"If you plan and manage change appropriately the impact is almost always zero otherwise its very low," he says.

He says the best thing a company can do is a regular review process.

"It doesn't matter the frequency so much as long as it's no less than annual," says Drum.

"You really do need a champion in the business"

Watson says for any lasting change to occur, it needs to be from the top down. He says if the directors of the board aren't engaged, then change is unlikely because the people underneath aren't going to get direction, written policy, or resources to make changes.

Drum agrees and says, "You really do need a champion in the business."

He believes directors and boards are becoming more aware of the implications of data storage, but there's still a long way to go. Drum warns that collaboration is needed between the business itself, operations and whoever looks after the systems.

"If you come along and make a bunch of changes to things without consulting the people who use the data you can block access that people need," he says.

MacPherson strongly encourages companies to prioritise data and says data is critical for an agency's ability to innovate and improve its operations. But she says only companies who take responsibility for data earn the trust of customers and have the social license to use personal information.

"Personal information is precious, people need to protect it," she says.

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Commerce Commission
ComCom puts electronics sector on notice over resale price maintenance
The Commerce Commission has concluded an investigation into allegations that television manufacturers were engaging in illegal resale price maintenance.
Story image
Market growth
Salesforce unveils new offerings for consumer goods companies
Salesforce has announced new products for consumer goods companies to help brands navigate increasing market complexity more easily.
Story image
Cyclone selected as NZ MOE software licensing partner
Following a recent Request for Proposal (RFP), Christchurch-based company Cyclone Computer Company Ltd (Cyclone) has been selected as The Ministry of Education’s software licensing partner.
Story image
Workday winning on culture and family focus
This family-first approach sees all employees receive access to family-wide private healthcare cover, as well as income protection and life insurance policies.
Story image
New financial accounting hub can manage 40 million events daily
The new Axway Financial Accounting Hub can manage 40 million events daily and halve costs and integration time for ERP Finance migration projects.
Story image
Tech job moves
Tech job moves - Boomi, Limepay, Thales, VMware & Zoom
We round up all job appointments from June 6-16, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Dell Technologies reveals growth of Student TechCrew in A/NZ
Dell Student TechCrew is an initiative designed to promote future career skills through Dell’s technical certification program and hands-on experience.
Story image
Open source
DataStax secures US$115 million to fund database expansion
DataStax has secured US$115 million in funding, which it will use to develop and expand its Astra DB multi-cloud database and Astra Streaming service globally.
Story image
Artificial Intelligence
Salesforce harnesses automated solutions with new developments
Salesforce has launched Sales Cloud Unlimited, a new feature to help accelerate productivity with AI and automation.
Story image
Banks, PSPs prioritising payment modernisation to compete
A new report gives payment providers a forward-looking view of the evolution of payments and investment drivers for modernisation.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Contact Centre
Customer service agents don't want to return to contact centres
A new report has revealed that 85% of customer service agents want to work full-time at home and not return to contact centre offices.
The Access Group
Struggling to understand which transformative technologies will help your business? The Access Group provides a look into key opportunities and impacts for finance.
Link image
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
The rise of digital gifting in the workplace
The name itself does most of the explaining; it’s a gift you receive virtually. But a misconception about digital gifts is that they need to be redeemed virtually as well. 
Story image
Open XR
Juniper Networks, Sumitomo Electric, Arrcus join Open XR forum
Building a robust multi-vendor ecosystem is essential to enable network operators to achieve increased network capabilities provided by XR optics technology.
Story image
SolarWinds IT Trends Report highlights increased cloud complexity for businesses
SolarWinds' new IT Trends report has signalled a significant shift in the way businesses are dealing with hybrid cloud and infrastructure.
The Access Group
Increasing headcount isn't always the best way to grow. A good financial strategy can help solve many issues, and The Access Group shares the secret to success.
Link image
Story image
TradeWindow using Nintex platform amid global expansion
TradeWindow is using Nintex Promapp to support its recent expansion and to prepare for ambitious international growth.
Story image
Automation a point of difference for APJ enterprises - report
There has been a massive shift in which departments are using automation tools and creating those automations, according to Workato.
Story image
How a single mandate changed software development forever
There’s conjecture about exactly when it was issued and by whom, but a mandate made twenty years ago is continuing to shape the software development process today.
Story image
N4L, Spark, Chorus partner for Hyperfibre school upgrade
Networks for Learning (N4L) has partnered with Spark and Chorus to upgrade Wellington College to Hyperfibre, fostering stronger outcomes for students and teachers.
Story image
Cisco launches AppDynamics Cloud for greater performance
Cisco has launched AppDynamics Cloud, enabling the delivery of better digital experiences by correlating telemetry data from across any cloud environment at scale.
Story image
Cloudflare outage in 19 data centers worldwide due to own error
Cloudflare says its outage for 19 of its data centers yesterday was because of a change in a long-running project to increase resilience in its busiest locations.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
The Access Group
Health and social care organisations are currently under significant financial pressure. Find out how financial transformation can help provide an effective route forward.
Link image
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Artificial Intelligence
Finance is on a new footing to improve internal customer service
Finance functions and leaders have marked 2022 down as a year for process improvement, writes Servicely’s founder and CEO Dion Williams.
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Story image
Majority of APAC CFOs concerned about rising wages
"In challenging times, CFOs look to determine how they can do things differently and as a result, new ideas about future growth emerge."
Story image
How TruSens air purifiers can create healthier workspaces
The pandemic has heightened our awareness of our own and others’ health, and made us all much more conscious of the environments we work in.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Digital Transformation
Apptio adds portfolio enhancements to promote digital strategy
"While digitalisation creates opportunities, it also makes budgeting far more complex, leading many companies to waste substantial funds."
Story image
DigiCert acquires DNS Made Easy and affiliated brands
Greg Clark comments, says, "This combination enhances the security of certificate validation and enables the automation of future validations."
Story image
Orbital Insight
Orbital Insight solution set to drive better data-driven decisions
The company says the new Site Intelligence solution will provide granular visibility, behaviour analytics and deep insights about customers and competitors at any location. 
Story image
Airwallex, Xero extend partnership with easier invoice payments
Airwallex has extended its long-term partnership with Xero by releasing a new payment link integration for Xero invoices that will make receiving them easier and faster for Australian businesses.
Story image
Dynatrace named Leader in Gartner’s 2022 Magic Quadrant
Gartner has named Dynatrace a Leader in the 2022 Magic Quadrant for Application Performance Monitoring (APM) and Observability.
Story image
Cisco Live showcases new offerings in its first hybrid event
Cisco Live 2022 has seen Cisco executives and customers take the stage to present a range of discussions in the company’s first-ever hybrid event.
Story image
Volpara, Microsoft project to detect cardiovascular issues
Volpara Health Technologies is working with Microsoft on a research and development project to speed up creating a product that detects and quantifies breast arterial calcifications (BACs).
Story image
Tech job moves - EOS, Rubrik, SAP, Talent, Verizon & Zoom
We round up all job appointments from June 2-8, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Manhattan Associates
New late-stage order cancellation to improve customer service
Manhattan Associates launches new service allowing orders to be cancelled up to the point of manifested/loaded status, preventing unwanted shipments and costly returns.
Story image
Robotic Process Automation / RPA
rapidMATION helps Coates achieve success with landmark RPA solution
A strong Robotic Process Automation solution (RPA) can help solve many complex issues that businesses face daily. 
Story image
Robotic Process Automation / RPA
Study shows prioritising IA can deliver better operational outcomes
A new Everest Group Pinnacle Model study, supported by SS&C Blue Prism, has found that businesses that use and develop solid automated practices tend to see better operational outcomes.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.