Business Insight

Identity Resilience and digital identity –  key defences against cyber threats

By Rebecca Cope, Mathew Baldwin, Bikram Choudhury and Andrew Hilton

23 August 2023

Share Share
building
Share

     Australia’s Digital ID Act 2024 has been passed – read more at Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive (16 August 2024).

    What you need to know

    • While in the past cyber attackers have focussed on disruptive attacks, the recent trend in high profile incidents is to hold sensitive stolen data to ransom – particularly identity information (such as passports and driver's licences) that can be used for identity crime.
    • Australia is looking to reduce the risk and harm of identity crime and cyber crime at an ecosystem level. A new National Strategy for Identity Resilience has been agreed, with consultation on refreshed digital identity legislation expected shortly.
    • Identity resilience and digital identity are key parts of a cyber-resilient ecosystem – making identity information harder to steal, harder to abuse, and easier to recover if compromised. These factors can shift the dial on cyber security risks and rebalance leverage in cyber ransom negotiations.
    • Minimising the collection and retention of identity information, including through use of digital identity and reform of data retention laws and practices, can reduce exposure to cyber risk and minimise harm to customers.
    • Holding identity information complicates incident response – even if there is no evidence of data theft. Strong data governance and incident response planning that looks at risk through the eyes of your attacker as well as individuals potentially harmed is essential.

    What you need to do

    • Understand your data – Audit the types of information that your organisation collects and stores – understand the information which may be most valuable to a cyber attacker, like identity information.
    • Risk-analyse your data collection, retention and deletion practices – Focus on higher risk identity data, such as passports and driver's licences, first. Can you cut down the data you collect or retain, or secure data better at different stages in its lifecycle, with technical solutions or operational changes?
    • Protect the data most valuable to attackers – Take additional measures to secure the data most valuable to attackers.
    • Reconsider data retention through a cyber-risk lens – Understand your data retention and destruction obligations, and revisit assumptions around business processes, best practices and business priorities – has your organisation adjusted to the new threat landscape?
    • Engage with regulators and lawmakers – Policy objectives requiring retention must be balanced against cyber risks. Now is the time for the regulators and the regulated to talk, with Australian governments making commitments to support private and public sectors to collect and retain less information.

    A systemic ecosystem risk

    Widespread collection and use of identity information such as passports and driver's licences in day to day business represents a systemic ecosystem risk that makes those holding identity information attractive to cyber attackers and fraudsters.

    Organisations from the largest corporates and government bodies to small business need to collect identity information, often to comply with law.

    Commonwealth, State and Territory governments have agreed a National Strategy for Identity Resilience, recognising the critical role that resilient identity and the adoption of digital identity plays in building Australia's vision of being the most cyber secure nation in the world by 2030.

    Identity resilience, enabled by interoperable and portable digital identity, aims to provide more secure, robust, and trustworthy systems to prove we are who we say we are by making identity information harder to steal, harder to abuse, and easier to recover if compromised.

    You can read more about the strategy and the push for new legislation in our recent publication Australian digital identity gains traction.

    Why identity crime matters

    Identity crime is a significant cause of direct harm to the Australian economy in its own right – estimated to have cost $3.1 billion in 2018-19.

    Stolen identity information can be a valuable commodity – used for identity fraud, or sold for others to use. According to Australian Bureau of Statistics research, stolen personal information is generally used to obtain money from bank accounts, superannuation, investments or shares (56%), as well as for other purposes, such as to open new phone and utility accounts (16%) or apply for loans or credit (7.9%).

    Identity crime is a recognised key enabler of serious organised crime (estimated to cost the economy over $60 billion in 2020-21) as well as terrorism.

    Identity crime be an enabler of further criminal activity (eg stolen identity information can set up fraudulent accounts, that can in turn be used for money laundering, or as further fraudulent proof of identity). Identity crime can also result from, or be the motivation to commit, cyber crime (eg a cyber attack to steal identity information).

    Most importantly for organisations that need to manage identity information, the threat or possibility of identity crime is a key lever applied by ransom threat actors.

    How identity resilience can shift the dial on cyber risk 

    Image contains the following text. How identity resilience can shift the dial on cyber risk. Reduce the need to collect and store identity information: Broader uptake of digital identity can mean we don't need to collect as much identity information. Reduce the harm flowing from a cyber attack: A resilient digital identity ecosystem will make identity fraud more difficult, and will simplify how we respond – for example, by being able to rapidly revoke and re-issue stolen identity credentials. Reduce the value of stolen information to attackers: More robust identity-checking, for example when applying for a loan, means stolen identity information is less valuable. Rebalance the ransom threat environment: If the harm an attacker can inflict is minimised, the incentive to pay ransom is reduced, reducing an organisation's attractiveness as a target of cyber crime.

    • Reduce the need to collect and store identity information: Broader uptake of digital identity can mean we don't need to collect as much identity information.
    • Reduce the harm flowing from a cyber attack: A resilient digital identity ecosystem will make identity fraud more difficult, and will simplify how we respond – for example, by being able to rapidly revoke and re-issue stolen identity credentials.
    • Reduce the value of stolen information to attackers: More robust identity-checking, for example when applying for a loan, means stolen identity information is less valuable.
    • Rebalance the ransom threat environment: If the harm an attacker can inflict is minimised, the incentive to pay ransom is reduced, reducing an organisation's attractiveness as a target of cyber crime.

    The ransom threat environment

    Identity crime causes significant emotional, psychological and financial harm. But this is only part of the picture. The threat that stolen information will be released or used for identity crime is powerful leverage which is applied by threat actors to extort ransom payments.

    The Australian Government does not condone payment of ransoms, and consulted earlier this year on whether to ban ransom payments (as part of the 2023-2030 Australian Cyber Security Strategy).

    Large organisations are already demonstrating they will not pay ransoms – focusing instead on supporting their customers through the consequences of a data breach.

    But these incidents remain extremely costly and disruptive for targeted organisations, for the individual victims, and for the broader Australian community.

    A resilient digital identity ecosystem reduces the harm flowing from a data breach – stolen credentials are harder to use for identity crime, and can be more easily re-issued or remediated (if required). Reducing a threat actor's ability to cause harm reduces the incentive to pay a ransom, which in turn should make an organisation less attractive for cyber attacks.

    Managing identity data risk

    The rollout of digital identity, and its adoption by business, government and consumers will take time.

    Business and government can take steps now:

    • Understand identity information collected by the organisation – and why.
    • Examine which business processes access or rely on identity data. Do they need to? Could identity information be siloed?
    • Revise business processes to reduce collection or access to identity information.
    • Protect identity data – if identity data must be collected, can it be secured better? Can identity information be isolated from systems that might be compromised?
    • Consider security through the data lifecycle – identity data might need to be actively accessed initially to verify identity, but might subsequently only be needed for compliance purposes – could data be shifted to more secure isolated archive until you are permitted to securely delete it?
    • Review data governance frameworks and controls, taking into account not only business continuity or operational risks, but the value of identity data to threat actors and potential harm to individuals.
    • Undertake privacy impact assessments for any identified high risk projects or use cases.

    You can read more about understanding your organisation's data and 4 key steps to addressing data risks.

    Risk-informed data retention laws

    Sensible and targeted data retention reforms are also on the regulatory agenda.

    Regulatory requirements to authenticate or collect identity information can present a key challenge to implementing data minimisation techniques to combat cyber crime and identity theft.

    Data retention and destruction obligations are diverse and overlapping, and are driven by different policy objectives. They are challenging to understand – and are often misunderstood. The result is that Australian organisations often retain data for longer than necessary.

    The benefits of retaining information must now be balanced against the risks of retaining it – and the costs of keeping it secure.

    One particular challenge for government bodies comes from regulations that may require them to retain sensitive information (including identity information) beyond its useful operational life. For example, the Archives Act 1983 (Cth) requires retention of personal information for in excess of 100 years in some cases.

    The Privacy Act Review Report recommended that the Commonwealth Government review all data retention obligations for personal information to make sure that policy objectives are balanced against cyber security risks. Commonwealth, State and Territory Governments have committed as part of the new National Strategy for Identity Resilience to supporting business and government agencies to collect and retain less personal information where appropriate (balanced against legitimate law enforcement and regulatory needs for retention).

    Private and public sector bodies with lived experience of data retention challenges and risks can help regulators and lawmakers strike the right balance. This will be an ongoing process – there will no doubt be some "easy wins", but more far-reaching reforms may need to move in lockstep with digital identity and identity resilience developments.

    Managing data breach notifications

    Holding identity information increases the already significant regulatory burden for the targets of cyber attacks.

    Knowing whether a cyber incident involves identity information is essential to effectively protecting customers and complying with data breach notification obligations. This can be easier said than done unless you have a strong data governance framework and incident response plan.

    When cyber incidents occur, organisations holding identity information are far more likely to be required to notify the privacy regulator and impacted individuals under the Australian Privacy Act Notifiable Data Breaches scheme.

    Australia's privacy regulator has made it clear that:

    • theft and financial loss through fraud are examples of "serious harm" that could trigger notification obligations; and
    • notification obligations can be triggered based on an attacker having access to information alone – absent further information, an attacker who has encrypted your data should be assumed to have access to, and therefor may have taken that data – cyber attackers can and do cover their tracks.

    This can mean an organisation holding identity information alongside other data can be required to give data breach notices for an attack that aims to disrupt the organisation, but not steal data (like a ransomware attack). Similarly, infiltration by a surveillance-based threat actor (such as Volt Typhoon) might trigger notification obligations even where the attacker has no obvious interest in stealing identity information.

    If identity information has been compromised, customers may need to take steps to protect their identities and prevent fraud – the exact steps may depend on the identity information that has been compromised, and may mean talking to different government bodies. The National Strategy for Identity Resilience calls for "no wrong doors" for identity remediation – so individuals can talk to a single department – but this is a long-term initiative not expected for 3-5 years.

    Reform proposals under consideration as part of Australia's overhaul of privacy laws will place additional pressure on organisations holding identity information. Proposed cyber security reforms include:

    • tightening timeframes for data breach notifications discussed above to 72 hours after an entity has reasonable grounds to believe a data breach has occurred; and
    • an obligation to take reasonable steps to prevent or reduce the likely harm to individuals from a data breach – these harms and reasonable steps might look very different for compromised identity information.

    The new National Strategy for Identity Resilience calls for clear accountability and liability for the costs of remediating compromised identity credentials, with solutions that minimise harm to individuals – further increasing the potential costs associated with holding identity information.

    Authors: Rebecca Cope, Partner; Mathew Baldwin, Partner; Bikram Choudhury, Director, Risk Advisory; and Andrew Hilton, Expertise Counsel 


    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts