Ignorance no defence for encryption failure: Senetas boss

It’s staggering that many organisations still do not encrypt their data particularly when it is travelling across public networks, Senetas CEO Andrew Wilson said on Thursday.

Wilson made the comment in the wake of allegations by NSW Police this week that cyber security researcher and blogger, Nik Cubrilovic, hacked into the database of Australian car sharing start-up, GoGet.

Police investigators identified that unauthorised access was gained into the GoGet’s fleet booking system and customer information from the database was downloaded. The company emailed current and former members on January 31 notifying them of the incident, and that customer data had been compromised.

Wilson said today that although none of the customer data had been disseminated, the hack highlighted that such data must always be encrypted, rather than rely on good luck.

“Company directors much ensure their business is encrypting all the sensitive data they handle and ignorance will no longer be an acceptable defence,” he said.

He said too little data is being encrypted at a time when data breaches are on the rise citing Apple’s iCloud breach in 2014, an Australia supplier’s loss of the F35 Joint Strike Fighter and other defence aircraft project information in November 2016 as examples.

He said GoGet’s notification of a data breach puts the company, executives and its directors on notice – not just under the Australian Privacy Act but under corporations law and civil litigation.

“Unencryted data is now just a lawsuit and prosecution waiting to happen as consumers and businesses, whose data that has been accessed, are looking to the courts to seek financial compensation for organisations’ negligent behaviour. In the US, class actions are being prepared against organisations and their executives.

“Of greatest concern to executives and directors is that it is not the organisation alone held responsible but its board of directors and executives are personally accountable and liable.

“Data privacy security regulations are no longer just a compliance issue, nor are they just a privacy issue, they involve financial and reputational damage caused by poor security practices. But what is not as well known is that corporate law, in most jurisdictions, places substantial requirements on directors and executives to exercise due diligence which encompasses cybersecurity.

“Board members and company executives are being placed on notice to ensure they are doing all they can to ensure the privacy of their customers’, suppliers’ and partners’ data and their own intellectual property and business data, such as encrypting sensitive data,” he said.