Identity theft to be outlawed in New Zealand, with privacy enhancements, but much more work required on identity theft in Australia
May 29, 2014 |
The New Zealand legislature will be outlawing identity theft with major improvements in privacy regulation according to stuff. That includes mandatory data breach notification legislation.
Identity theft is to be outlawed with a fine of up to $10,000 under an overhaul of privacy laws.
The Government is to beef up the watchdog powers of the privacy commissioner. Organisations will also be required to report data breaches to the commissioner, and notify those affected in serious cases.
Penalty fines are to be increased and two new offences created.
Failing to notify the commissioner of a privacy breach or impersonating someone to obtain their personal information will be illegal and carry a fine of up to $10,000.
It will also be against the law to destroy documents containing personal information that a person has sought access to.
Justice Minister Judith Collins announced the changes, saying they were necessary because of advances in technology.
“Our proposals will put strong incentives in place to ensure business, government departments and other organisations take privacy seriously,” Collins said.
The proposals follow mass privacy breaches at ACC and the Ministry of Social Development.
They stem from a 2012 Law Commission review of the Privacy Act, which is more than two decades old.
“Large amounts of personal information are now stored online and transmitted digitally – this has benefits, but also poses potential risks,” Collins said.
“It’s now possible for huge amounts of data to be released in a single privacy breach, potentially affecting large numbers of people.”
The commissioner will have new powers, including the ability to issue compliance notices. Currently, the watchdog can only make recommendations.
However, fines will apply only to private agencies. The Government says it believes the prospect of being “named and shamed’ is an effective deterrent within the public service.
Organisations that send personal information offshore must ensure it is protected and subject to acceptable standards. This includes firms that use cloud computing services or overseas call centres.
If the offshore company has a breach, the Kiwi organisation may be subject to a complaint and required to notify the breach.
Collins said the new proposals were consistent with new OECD guidelines. The commissioner received a $7 million Budget boost this year.
The Privacy Act will be repealed. But the Government is to undertake “targeted technical consultation” before new legislation is introduced to Parliament.
Itnews reports on the proposal in NZ govt proposes mandatory data breach reporting.
While the Australian points out the inadequacy of Australia’s legislation in Identity thieves a sign of the times. It provides:
AUSTRALIAN law needs to move faster to stop identity thieves exploiting the growing official acceptance of electronic and digital signatures.
Brisbane estate litigation lawyer Charlie Young said that as the law moved away from traditionally requiring a physical, handwritten signature, there was a growing risk that identity thieves could exploit loopholes in legislation.
He said the extension of electronic signatures to the granting of charges over land, as had occurred in Queensland, meant an impostor could electronically forge a signature and falsely obtain credit secured to a property.
“The person who owns the property over which the charge has purportedly been granted might find one day that someone’s trying to sell their house. There is certainly potential for fraudulent transactions as a result of these electronic transactions,” Mr Young said.
He said the law regarding electronic transactions was fairly consistent across states, but was 12-14 years old. It had inadequate safeguards to ensure parties identified themselves.
“The law simply requires that a method be used to identify a person and indicate their intention that they wish to carry through with an electronic transaction,” he said. “There is no guideline or outline as to what steps you must take to identify a person.”
Mr Young, a senior associate with Bennett & Philp Lawyers, said this had led to fraudulent transactions involving electronic signatures. “That’s where we’re getting caught up with all these fraudulent transactions because they’re all these traders out there who aren’t taking sufficient steps to identify the people they are purportedly transacting with,” he said.
“Perhaps the legislation should be tightened to specify whether a person has to provide a tax file number, or a driver’s licence. Most commercial traders out there aren’t sophisticated; they’re just trying to run a business. They don’t know what steps need to be taken in order to protect themselves.”
There is confusion, too, about the different types of electronic verification. Ticking a box, typing a name or including an image of a signature on a document are forms of electronic verification, but offer little identity security.
A digital signature or certificate with encryption codes on the other hand such as public and private identity keys made available to a person after they had identified themselves offered more.
Philip Argy, chairman of the NSW Law Society’s legal technology committee, said the process of obtaining a digital certificate was no less rigorous than getting a passport.
“It depends how punctilious you want to be about the use of language,” Mr Argy said.
He said the Attorney-General’s department was briefing lawyers on new identity-proofing guidelines.
Attorney-General George Brandis this month launched a document verification commercial service that will let private-sector users perform real-time online checks of information presented on identity documents with the records of the issuing agency.
[…] Identity theft to be outlawed in New Zealand, with privacy enhancements, but much more work required… […]