CEOs at every level must put more effort into understanding, defending and commercialising their greatest intangible asset – their data. By Joel Hanrahan.
In a series of dark web blog posts, the REvil cybercrime gang last year began leaking thousands of private records stolen from Australia’s largest private health insurer Medibank.
The data dump was the result of Medibank’s refusal to pay a ransom demanded by the gang when 9.7 million of its current and former customers were exposed to a cyberattack that nabbed personal data such as name, address, date of birth and gender, along with significant amounts of sensitive health claims data.
Medibank said the hack might cost the company between $25 million and $35 million so it’s safe to say the insurer’s leaders are feeling a plethora of emotions after this event.
Australian cybersecurity minister Clare O’Neil called the cybercriminals “disgraceful human beings” for leaking the records but praised Medibank for being consistent with government advice and refusing to pay up in the event of a ransomware attack.
Similar breaches have struck Kiwi organisations that hold sensitive medical data. In 2021, a ransomware attack on the Waikato District Health Board took down hundreds of servers. After the DHB refused to pay the hackers, the private information of both employees and patients was released onto the ‘dark web’ (which refers to data stored online that is not indexed by search engines).
We are well past the point of issuing a ‘wake-up call’ for businesses. No matter how valuable a company believes its data is, they should quadruple that estimate – and then double it again.
This Medibank breach is not just about data; what sets it apart is that it involved confidential health data.
Data like this is arguably the most important intangible asset a firm can possess.
In fact, as companies find new ways to merge, mix and holistically connect all sorts of seemingly innocuous data so they can generate better customer insights, every data pool now has the potential to be enormously damaging for real people should it ever leak to cybercriminals.
Think of the opportunities for manipulation, threats, extortion and impersonation that criminals now have.
Of course, the only way to be 100 percent safe from cyberattacks is to not collect any customer data whatsoever. After all, if there’s nothing to steal, then criminals will move on to a juicier target. But too many companies have bet the house on capturing as much customer data as possible, so that solution would be economic suicide.
On the other hand, protecting a critical intangible asset like data is a cat-and-mouse game in which businesses compete with two hands and a foot tied behind their backs, while the cats can reach out to touch their prey from anywhere in the world.
No matter what a company does to protect its data, there will always be a hacker working on a workaround. It’s an unfair game.
But that’s no excuse for complacency, especially when people’s lives and livelihoods are at risk.
Business leaders have two choices for solving the thorny problem of data: put in the hours to understand how to use and protect it or ignore the issue and hope roving cyber pirates don’t stumble across a database vulnerability.
When (not if) a breach occurs companies across the world are likely to be subject to fines and – perhaps worse – the reputational hammer blow that comes from customers leaving in droves.
More governments will certainly be looking at the Medibank breach, along with other cyberattacks that occurred last year, and drafting up new plans to clamp down on firms that may be dragging their feet when it comes to protecting the personal data of citizens.
For example, the Australian government last year said it would increase the maximum penalties under the Privacy Act 1988 for serious repeated privacy breaches from the current $A2.22 million, to either $A50 million, three times the value of the stolen data or 30 percent of adjusted revenue turnover in the relevant period, whichever is greater.
Back over the Tasman, even though New Zealand’s government updated its Privacy Act back in 2020, the maximum fine for a serious data breach is still a puny $10,000.
By comparison, health and safety breaches can cost a company between $500,000 and $3 million. After the Medibank hack, it should now be clear that stolen health data can be as damaging as falling off a ladder.
The legislative landscape in the US is more nuanced since rules differ between states. But penalties for cyber breaches can range from $US1.5 million per year (or $US50,000 per stolen data record) and one to 10 years in prison under the HIPAA (Health Insurance Portability and Accountability Act) laws to $US100,000 for each violation and a $US10,000 fine for the directors, along with up to five years in prison, under the GLBA (Gramm-Leach-Bliley Act) laws.
In the Information Age, it’s hard to believe any leader doesn’t understand the value of data. But worried business leaders are advised to do three things – these are not optional:
• At a minimum, understand you are a custodian of a highly valuable intangible asset.
• Go shopping for the best ways to protect your data. No protection is perfect, but a hard target is less attractive than low-hanging fruit.
• Brainstorm ways to commercialise your data. Like money, data is useless until it is put to work.
The biggest lesson of Medibank’s troubles is that CEOs at every level must put more effort into understanding, defending and commercialising their greatest intangible asset – the data. Someone is bound to eventually squeeze value from your data. Make sure that’s you and not the bad guys.
Joel Hanrahan is a Managing Director at EverEdge, a global Intangible Asset advisory, corporate finance and investment firm.
