A recent spate of security breaches affecting some major companies has brought the issue of data protection to the attention of many people. In the most recently reported security breach, as at the date of this ezine, information on over 1.2 million customers (names, birth dates, e-mail addresses and passwords but not financial information) from Sega’s “Sega Pass” database was subject to unauthorised access. Other well-known companies and organisations reported to have suffered intrusions recently include the International Monetary Fund, Citigroup, Lockheed Martin, Sony, and Epsilon, a data marketing firm (the Epsilon breach is reported to have affected over 50 major companies, including JP Morgan Chase, Hilton and Best Buy). In some of these attacks, hackers have gained access to credit card and bank account details, as well as personal information such as users' names and log-in information.

New Zealand organisations that hold personal information may, as a result of these security breaches, have questions about the actions they should take when faced with a similar situation. These breaches also highlight the importance of robust data protection policies and systems, to comply with the requirements of the Privacy Act 1993 (Privacy Act).

Handling a security breach incident

New Zealand does not currently have any specific data or privacy breach notification laws. However, the need for, and potential requirements of, such laws were discussed in the Law Commission's 'Review of the Privacy Act 1993' Issues Paper released in March 2010, as stage four of the Law Commission's review of privacy law. Submissions on the Issues Paper closed on 30 April 2010, but the Law Commission has not yet issued its report.

There is a broad movement around the world towards breach notification schemes. In the US, the Obama administration recently proposed a national data breach notification law, which would supersede the 47 separate state and District of Columbia regimes currently in place. In Europe, a breach notification regime for the telecommunications industry will come into force later this year. In Australia, the Australian Law Reform Commission has also recommended the introduction of mandatory data breach notification laws.

Despite the fact that there are no specific breach notification laws in New Zealand, the Privacy Commissioner has indicated that notification steps are a factor that could be taken into account when considering whether an organisation has complied with its obligations, under the Privacy Act's information privacy principle 5. Information privacy principle 5 requires the taking of all reasonable steps to protect personal information. The Privacy Commissioner released a set of voluntary privacy breach guidelines in 2008, and in the accompanying information paper commented that:

In some cases, quick and effective notification may prevent harm to the individual or provide an individual with the opportunity to mitigate harm. The Privacy Commission can receive complaints on breaches of the Information Privacy Principles. For a complaint to succeed, a complainant must show that a principle has been breached, and that they have suffered, or may suffer, harm as a result. If any individual harmed by a privacy breach is given the opportunity, through notification, to mitigate the effects, this may limit an agency's potential liability.

These privacy breach guidelines recognise four elements of managing a privacy breach:

  1. breach containment and preliminary assessment;
  2. evaluation of the risks associated with the breach;
  3. notification; and
  4. putting in place future prevention strategies.

The guidelines also emphasise the need for these steps to be taken quickly following a breach.

The full guidelines are available here.

New Zealand organisations that hold personal information should review these guidelines and establish a contingency plan (including a notification plan) to allow prompt action following a security breach.

Data protection policies

As noted above, information privacy principle 5 of the Privacy Act requires agencies to take all reasonable steps to protect personal information. An organisation that keeps its information protection policies and systems up to date with industry best practice will be much better placed to withstand a complaint that it has breached this principle. For example, encryption of data, separation of sensitive data into independent databases, and use of data loss prevention monitoring tools may be merited if inappropriate release of information held by the organisation could lead to significant risk to individuals' physical safety, reputation, or financial security.

In addition, information privacy principle 9 prohibits organisations from holding personal information "for longer than is required for the purposes for which the information may lawfully be used". New Zealand organisations holding credit card details should therefore have systems to ensure that, once credit cards have expired (and can therefore not be used for purchases), and are not needed for other legitimate purposes such as responding to transaction queries, the records are deleted (unless there is a legitimate reason behind their retention). More generally, data retention policies should set out the timeframes for which information should be retained, and there should be systems for deleting or destroying information that is no longer needed. Just because information can be stored (for example, because of cheap electronic information storage facilities), does not mean it should be stored.

Conclusion

The significant recent publicity regarding security breaches are a reminder for New Zealand organisations to take proper precautions in the way they store information, to properly consider how long it is necessary to store information, and to establish systems to deal with security breaches should they occur.

In addition, with a comprehensive review of the Privacy Act currently underway, and significant international momentum towards mandatory data breach notification laws, it seems likely that New Zealand will also move to a mandatory breach notification regime at some point over the next few years.