Hello Legally Yours community! Here's a blog from Galilee - the law firm that helped develop Livesign. This piece discusses ARNECC's current data retention requirements and the significant risks they hold. We'd love to hear your thoughts on ARNECC's data retention requirements.
So many things in life are worth protecting. We take reasonable steps to make sure material items such as houses, cars and jewellery are protected at all costs. We guard our credit cards fiercely.
You wouldn’t choose to leave your car out in the hail. You wouldn’t leave your credit card on a shop counter for all to see. So why is it that the most precious thing we own – our identity – can be so easily lost, stolen, or leaked? The answer lies in the way identity documents must be stored for high value transactions such as buying and selling property or obtaining finance.
ARNECC’s current Model Participation Rules require copies of identity documents to be retained for seven years. This requirement applies to lawyers, conveyancers and lenders. That means copies of passports, driver’s licences, birth certificates and other important documents must spend seven years in an inbox, on a server, on a computer or even in a filing cabinet. A lot can happen in seven years. As technology gets smarter, cyber criminals get savvier. One simple instance of human error or a compromised system can have devastating consequences. We’ve seen three high profile companies impacted by cyber-attacks in the past six months, with millions of Australians’ identity data now on the dark web. Hindsight tells us this would never have happened if there was no requirement for identity data to be stored.
As a law firm that places the highest value on protecting client data, Galilee knows breaches are inevitable, so we would like to see regulatory change to the current data storage requirements. Storing identity documents for seven years is the equivalent to leaving a car out in the hail or leaving a credit card on a shop counter while you’ve decided to browse some more. Holding onto passport and drivers licence numbers adds nothing to proving you’ve verified someone’s identity, but it means everything to a hacker who needs all these additional details in order to takeover your identity. It’s ultimately all risk and no reward, with the potential for significant damage to clients and to a firm’s reputation.
There should be a way for clients to be verified that’s safe while meeting our number one obligation: to know with certainty who our client is. This is why we helped develop Livesign – Australia’s first and only simultaneous Verification of Identity (VOI) and Verification of Signer (VOS) app. To verify identity, Livesign intuitively extracts the photo from a person’s ePassport and biometrically compares it to a selfie taken at the time of verification. The chip technology allows access to the user’s personal information without ever storing an image of their passport, significantly reducing the risk of identity theft in the event of a cyber-attack.
Further reducing the risk, when Livesign securely stores the VOI certificate as evidence of the steps we have taken to identify a client, it redacts all the sensitive information – leaving us with a solid record of the identification process, but without creating a ‘honeypot’ of information in the unfortunate event of a data leak.
However, according to ARNECC, this doesn’t seem to be sufficient evidence of the steps taken, so we are being forced to keep all of this information in clear view. As a material supplier to APRA regulated entities, we invest significant time and money into cyber security to avoid being hacked – however if it can happen to Optus, it can happen to us.
While implementing an immediate fix is difficult, there’s a big need for change if we want to protect client data and prevent leaks across the legal, conveyancing and financial industries. We want to see a shift in mindset from ARNECC in future iterations of the Model Participation Rules that take the current risks associated with data storage into consideration. This means removing the archaic requirement for storing clear copies of documents and accepting digital solutions that offer simultaneous VOI and Verification of Signer (VOS) as well as redaction of sensitive client details as the norm.
Industry change starts at the top, and we’ll continue to champion the charge for greater data security outcomes for all.