Video footage is an incredibly valuable data asset. As well as having forensic value, it can be used to train AI and machine learning models. And while today’s threat actors are only getting started with using these powerful tools, in time they could leverage video footage in many ways.
As organisations obtain more video data, they are faced with significant challenges. To overcome these challenges, they must craft a robust video data management lifecycle to ensure data is ethically collected, stored safely, used correctly and permanently destroyed once it is no longer needed. The Australian Privacy Principles make it clear that data can only be collected with consent and only used for its intended purpose. But how does this relate to video?
The Privacy Act 1988 covers Australian Government agencies and organisations with an annual turnover of more than $3 million. Organisations subject to the Act must tell people their image may be captured before it’s recorded and that recorded personal information is stored securely and destroyed or de-identified when it is no longer needed.
If threat actors succeed in breaching video management systems, they could use the footage to create deep fakes that enable them to bypass security controls. Or they could collect audio from footage and use that to initiate other forms of fraud. Video could become the next honeypot criminal bees flock to. This is why organisations must take a holistic view of how they collect, manage, and destroy video data.
Start with a clear collection policy
When collecting any data, its intended purpose must be abundantly clear. Determine what video will be captured, what it will be used for, and notify anyone who will be caught on camera that they may be recorded. While the Privacy Act 1988 is a federal law, there are also jurisdictional rules in each state and territory that must be observed when it comes to the use of video.
Ensure storage is secure and access is tightly controlled
Video data must be securely stored with tight control over who can access the footage. As well as strong governance to ensure data is encrypted when being transferred and while it’s stored to ensure that even if a determined attacker breaches the defences, the data is not of any use to them.
Decide how long data must be retained
Not all data needs to be retained indefinitely. While there may be regulatory obligations to keep some footage for long periods of time such as when video captures a specific incident like a criminal act, a workplace accident or some other matter of importance, other footage may not be needed. Think carefully about what needs to be kept and for how long.
Securely delete video footage that is not needed
Video footage that is no longer needed should be securely destroyed. Hitting the delete key on a few files is not enough. Secure deletion means ensuring the data is removed from live data and backups in a way that makes it completely irretrievable.
The challenge with video footage is that it is relatively easy to collect. Once a camera is deployed it can collect data indefinitely, limited only by the ability to store it. This is why organisations need a plan that covers the entire lifecycle. As well as saving on data storage costs, it ensures that data that is potentially valuable to threat actors is not retained.
George Moawad is the country manager of Australia & New Zealand at Genetec.