When thinking about privacy breaches, the examples that immediately come to mind often involve acts: an email sent to the wrong person, a surreptitious recording, or a naming and shaming, for example.
However, privacy law is also concerned with omissions, including agency failures to protect individuals' personal information from access by third parties. Under New Zealand's Privacy Act, this is recognised by, for instance, information privacy principle 5 ("IPP5"). IPP5 provides, among other things, that an agency must ensure that personal information it holds is protected "by such security safeguards as it is reasonable in the circumstances to take" against loss, unauthorised access, use, modification, or disclosure, and other misuse.
The importance of this principle has been highlighted by several recent examples. As discussed further below, in Australia, a hacking attack by "Anonymous" on a server holding personal information about a telecommunications company's customers resulted in an investigation by the Australian Privacy Commissioner ("APC") and a finding that the company had breached Australia's equivalent to IPP5.
In New Zealand, we have seen instances of individuals actively testing organisations' systems in order to expose flaws in their data security. Perhaps the most notable example is blogger Keith Ng's exposure of data security flaws in WINZ's computer kiosks last year (discussed on his "OnPoint" blog here). More recently, Radio New Zealand has reported (here) that a "security researcher" has exposed security flaws in Christchurch City Council's "Metrocard" website which allowed the researcher to access people's names, addresses and phone numbers.
At least in part, that interest in the integrity of agencies' data security can be attributed to the increased attention given to privacy in media and political discourse. As the Privacy Commissioner, Marie Shroff, has suggested in a recent speech (available here), privacy was once seen as a boring "compliance issue", but it is now "a pressing political issue". Further attempts to expose security flaws in public and private agencies' data security should not be unexpected.
Ms Shroff floats the idea of a "bug bounty" in which large agencies (public and private) offer rewards to people who can locate data security flaws in their systems. Some companies already offer bounties for reporting security vulnerabilities - Google offers bounties of up to $20,000, Yahoo up to $15,000 and Facebook offers a minimum bounty of $500 (with no stated maximum). Appropriately managed, bounties are a potentially powerful tool in agencies' broader information security armoury and, therefore, are worthy of serious consideration.