As noted above, a recent investigation report from the APC has highlighted the risk of businesses breaching privacy law if their IT systems are hacked (the report is available here).
The investigation was initiated following media reports that "Anonymous" had hacked a server holding customer information of Australian telecommunications company, AAPT. Among other things, the Commissioner considered whether AAPT had complied with its obligation to take reasonable steps to protect its customers' information "from misuse and loss and from unauthorised access, modification or disclosure" under National Privacy Principle 4 ("NPP4") of Australia's Privacy Act 1988 (a similar requirement to New Zealand's IPP5).
Although the APC was satisfied that once AAPT had become aware of the Anonymous attack it had taken appropriate steps to ensure the information could not be further compromised, the APC found that AAPT had breached NPP4 by:
- failing to have contractual measures in place with the third party responsible for managing and maintaining its servers which adequately protected the security of its customers' information; and
- failing to take steps of its own to update relevant software applications to the latest versions.
As a result, the APC made a number of recommendations, including that AAPT:
- undertake a regular review, assessment, testing and scanning of all IT applications both internally and held by external providers;
- allocate responsibility for lifecycle management of applications;
- undertake a regular review of IT security frameworks, policy compliance and data classification;
- provide regular IT security training; and
- review terms of contractual arrangements with IT suppliers to clarify who has responsibility for identifying and addressing data security issues.
The similarity between the privacy regimes in New Zealand and Australia mean that those lessons are likely to be directly applicable here.