Privacy crime: make data breach notifications mandatory

InternetNZ chief executive Vikram Kumar.

Vikram Kumar is chief executive of InternetNZ, a non-profit organisation that advocates on behalf of New Zealand users and, though its subsidiaries, administers NZ web addresses.

The Law Commission is expected to deliver the final report on its review of the Privacy Act next month. I hope it includes a recommendation that it is compulsory for people to be informed when their personal information is lost, stolen or inappropriately accessed.

This isn’t a kneejerk reaction to the latest headlines, such as Sony’s PlayStation Network hack. I had blogged about it back in 2007. Many others have also called for making notification mandatory, including the Privacy Commissioner herself and NZICT chief executive Brett O’Riley.

Current situation
1. Principle 5 of the Privacy Act requires an “agency” (anyone who holds our personal information, including government and businesses) to ensure “that the information is protected, by such security safeguards as it is reasonable in the circumstances to take...” The problem is what’s “reasonable” is up to the agency.
2. The state of California, USA was the first to pass a law in 2002 that made it mandatory for notification of security breaches that lead to disclosure of personal information. Many other jurisdictions in USA and around the world have followed.
3. In New Zealand, there are guidelines for agencies to respond to privacy breaches and notify affected people voluntarily. Notifications are not required for every breach. Agencies are required to assess legal and contractual obligations; risk of harm; and the ability of the individual to avoid or mitigate harm.
4. The Law Commission is doing a four-stage review of the Privacy Act. The final report is expected next month. The Issues Paper for the stage 4 review had a chapter, Chapter 16 (pdf), looking at the issues related to data breaches in great detail. To my mind, this remains the best, balanced review of the issues and well worth a read for anyone interested in the details of the subject.
5. The Privacy Commissioner has stated that if the Law Commission doesn’t recommend mandatory notifications, she would introduce a statutory code to make it so.
The Law Commission paper referred to above lays out all the standard reasons why notifications should be mandatory. These include reduction of identity crime; reducing other harm; the “right to know”; and policy development.
I have an additional rationale, founded on my view of security.
Security professionals always start with a risk assessment and will evaluate costs vs. benefits. This assessment informs them of the priority threats that they need to address.
If the benefits are low, then the costs (both in terms of money and effort) they are willing to incur or recommend are also going to be low or none at all. The fact is that the perceived benefit to an agency from protecting people’s personal information is very low. This is the core reason why agencies put in so little money and effort to protect it.
The answer is to increase the perceived benefits by imposing an external cost, i.e. mandatory notification when the personal information of people they hold is lost, stolen or inappropriately accessed. That’s why I favour mandatory notifications over voluntary.
Not a silver bullet
In another blog post in 2007, I had pointed to a US study and concluded that “there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low.”
The Law Commission’s Issue Paper references a Canadian white paper that says “There is little evidence to date that mandatory breach notification laws have led to a reduction of data breach incidents.”
Certainly, in our home we haven’t stop ordering Hell pizza online or given up our Telecom landline or stopped subscribing to the McKinsey Quarterly. We don’t have a choice about paying our taxes even if The Treasury losses an Inland Revenue data CD.
No wonder then that Business New Zealand CE Phil O'Reilly recently called for caution, wanting “serious justifications” before any criminal sanctions are introduced and ensuring no harm for the growth of small to medium-sized businesses.
Balanced response
We continue to remain in favour of making notifications mandatory. As we said in our submission on the Issues Paper last year, we think that this should be in two steps:
However, the success of mandatory data breach notifications depends upon getting a range of parameters right. Currently there is insufficient information about the number and scope of data breaches to provide for an effective yet balanced set of rules.
We therefore recommend that mandatory notification of all data breaches be to the Privacy Commissioner only for an initial period of one to two years. This will then provide a sound basis for developing a mandatory set of rules to apply to mandatory public notifications thereafter.
A two-step introduction process should also be able to provide answers for all the important questions around notification rules and parameters raised in Chapter 16 of the Law Commission's issues paper.

Got a question about this story? Leave it in Comments & Questions below.

This article is tagged with the following keywords. Find out more about MyNBR Tags

Comments & Questions

Commenter icon key: Subscriber Verified

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot


Sym Price Change
USD 0.6968 0.0030 0.43%
AUD 0.8905 0.0016 0.18%
EUR 0.5920 0.0016 0.27%
GBP 0.5279 0.0018 0.34%
HKD 5.4367 0.0237 0.44%
JPY 79.2720 0.1030 0.13%


Commodity Price Change Time
Gold Index 1278.6 -9.430 2017-10-20T00:
Oil Brent 57.8 0.550 2017-10-20T00:
Oil Nymex 51.9 0.580 2017-10-20T00:
Silver Index 17.0 -0.177 2017-10-20T00:


Symbol Open High Last %
NZX 50 8124.1 8142.3 8124.1 0.07%
NASDAQ 6633.4 6640.0 6605.1 0.36%
DAX 13014.6 13014.6 12991.3 0.02%
DJI 23205.2 23328.8 23163.0 0.71%
FTSE 7523.2 7528.0 7523.2 -0.13%
HKSE 28557.8 28557.8 28487.2 -0.52%
NI225 21709.3 21723.6 21457.6 1.11%
ASX 5907.0 5925.3 5907.0 -0.22%