Reported Data Breaches in New Zealand double in the last year

December 9, 2013 |

Zdnet reports (found here) that reported data breaches in New Zealand  has doubled in the last year.

The article provides:

The number of data breach notifications in New Zealand more than doubled in the year ended 30 June 2013 to 107, with three quarters of the breaches notified coming from the public sector.

23 out of the 107 breaches reported were from the private sector, but even that was nearly double the 12 breaches reported in 2012, according to the Privacy Commissioner’s annual report.

While the most common type of breach remains the sending of physical information to the wrong person, with 23 breaches notified, electronic data breaches of various kinds are now much more common overall than physical breaches.

Sending electronic information to the wrong person was the second highest breach category (17 notifications) followed by website problems (12 notifications). Four instances of hacking were also notified.

The Privacy Commissioner has been tracking notifications since 2007 but is now formalising its breach tracking programme as “a matter of external interest and importance”.

“We are still developing our reporting system, including considering the most accurate and useful way of reporting types of breaches and outcomes,” the Commissioner’s annual report says.

“Data breaches are being reported to us more frequently, and we have noticed a growing responsiveness by business and government to the reputational benefits of notifying clients when things go wrong.”

A number of high profile public sector data breaches occurred during the year revealing weaknesses within many agency systems and processes, Privacy Commissioner Marie Shroff said.

These included the exposure of security vulnerabilities in Ministry of Social Development self-service kiosks and the inadvertent release of a document containing information about many tens of thousands of Christchurch earthquake damage claimants by EQC.

“We are receiving notifications from a greater variety of sectors, indicating that awareness of breach notification best practice is becoming more widespread,” Shroff said.

Data breach notification is voluntary in New Zealand, so the number of breaches is probably much higher. The Law Commission has recommended breach notification become compulsory “in a clearly defined set of situations”.

The Privacy Commissioner also submitted of the Government’s Bill to reform the Government Communications and Security Bureau (GCSB) during the year.

“Our submission on the Bill said that because of the complex and dynamic environment, we believe surveillance, and in particular oversight of that activity, needed to be considered further,” Shroff said.

The Privacy Commissioner also participated in the Global Privacy Enforcement Network (GPEN) Internet Sweep, an internationally coordinated effort to scan websites to assess the adequacy of their privacy notices and policies.

The office also received long awaited notification from the European Commission that New Zealand law was considered adequate for the purpose of European Union law.

Coming into effect in April 2013, this decision provides New Zealand businesses with a “comparative advantage” in cross-border data processing, the report says.

The New Zealand Privacy Commissioner has commented in the following terms:

Reporting data breaches
The Office has started to track breach notifications more formally, as this is a growing area of work for us and is also a matter of external interest and importance. We have for the first time reported the number of notifications we received in our 2013 Annual Report.

Data breaches are being reported to us more frequently and we have noticed a growing responsiveness by business and government to the reputational benefits of notifying clients when things go wrong.

The total number of notifications in 2013 was 107, more than double the 47 incidents reported to us in the previous financial year. There were 84 public sector notifications and 23 private sector notifications in 2013.

The most common type of breach reported is physical information sent to the wrong recipient. This was followed by electronic information sent to the wrong recipient while website breaches also made up a significant category.

Breach reporting is currently voluntary in New Zealand. Breaches reported to the Office do not reflect the level of breaches that actually occur, or the relative performance of agencies in various sectors. Instead, the agencies that report breaches tend to be conscientious and are able to identify breaches when they occur and are well aware of best practice in breach reporting.

Some of the breaches reported were minor and would not require notification under a mandatory scheme. The figures therefore do not necessarily tell us whether an agency has a serious issue with its security standards.

In addition, a few notifications involved agencies that discovered that their disclosure processes might breach the Act. Not all of these are “data breaches”. Data breaches usually involve either deliberate misuses or theft of personal information (such as employee browsing, hacking, or theft of data storage devices), or inadvertent actions by an agency that expose personal information. For simplicity’s sake, we currently log all voluntary notifications from agencies as breaches.

The Law Commission has recommended New Zealand move to mandatory breach reporting and the Privacy Commissioner agrees. Mandatory reporting would provide strong incentives for agencies to take appropriate steps to prevent breaches and to manage them properly when they occur.

It would also result in better information being given to affected individuals so that they could take steps to protect themselves. It would provide the Office with better information about the scale of the breach problem in New Zealand, the types of breaches that occur, and what approaches are effective. We could then use this information to advise others. It would also provide a direct mechanism to deal with agencies that refused to comply with the law, allowing us to target responses to greatest effect.

and

Privacy Commissioner’s Annual Report 2013 – A Year of Rapid Change

“Events during the year have reinforced the need for tools to respond to the dynamic data environment that is developing across government and business,” said Privacy Commissioner Marie Shroff when she released her Annual Report today.

“We continued discussions with Ministry of Justice officials as they worked through the Privacy Act review proposals and we now look forward to the Government’s response. Having adequate privacy and security protections will enable the aims of Better Public Services to be realised successfully.”

“A number of other high-profile data breaches and security failures, including the exposure of vulnerability in MSD’s publicly-facing kiosks in December 2012 and an EQC data breach involving many thousands of its Christchurch claimants, showed the weaknesses within many agency systems and processes.”

“The Government’s Bill to reform the Government Communications and Security Bureau (GCSB) took place against a background of heightened awareness and concern about government intrusion and surveillance of civilian life. Our submission on the Bill said that because of the complex and dynamic environment, we believe surveillance, and in particular oversight of that activity, needed to be considered further.

“The Information Sharing Bill became law in February and we received the first application for an approved information sharing agreement (AISA) a few months later. Government agencies are required to consult with us on each AISA and we will make our reports publicly available on our website to support transparency in government.”

Data breach notification is not mandatory under the current Privacy Act and once the amendments come into effect in March next year. There is no reason to assume that data security on this side of the Tasman is so much more effective than in the land of the long white cloud.  Without mandatory data breach notification (in any form) it is difficult to gauge the extent of the problem. Whether the Government reintroduces the Privacy Alerts Bill, which died in the Senate earlier this year, is the question.  It received bi partisan support on its way through the Parliament, with some complaint about lack of consultation, but now a new Government is at the helm issues of priority and perhaps even a rethink are all possibilities.  There should be some form of mandatory notification.

 

Leave a Reply