Vikram Kumar is chief executive of InternetNZ, a non-profit organisation that advocates on behalf of New Zealand users and, though its subsidiaries, administers NZ web addresses.
The Law Commission is expected to deliver the final report on its review of the Privacy Act next month. I hope it includes a recommendation that it is compulsory for people to be informed when their personal information is lost, stolen or inappropriately accessed.
This isn’t a kneejerk reaction to the latest headlines, such as Sony’s PlayStation Network hack. I had blogged about it back in 2007. Many others have also called for making notification mandatory, including the Privacy Commissioner herself and NZICT chief executive Brett O’Riley.
Current situation
1.
Principle 5 of the Privacy Act requires an “agency” (anyone who holds our personal information, including government and businesses) to ensure “that the information is protected, by such security safeguards as it is reasonable in the circumstances to take...” The problem is what’s “reasonable” is up to the agency.
2. The state of California, USA was the first to pass a law in 2002 that made it mandatory for notification of security breaches that lead to disclosure of personal information. Many other jurisdictions in USA and around the world have followed.
3. In New Zealand, there are
guidelines for agencies to respond to privacy breaches and notify affected people voluntarily. Notifications are not required for every breach. Agencies are required to assess legal and contractual obligations; risk of harm; and the ability of the individual to avoid or mitigate harm.
4. The Law Commission is doing a four-stage review of the Privacy Act. The final report is expected next month. The Issues Paper for the stage 4 review had a chapter,
Chapter 16 (pdf), looking at the issues related to data breaches in great detail. To my mind, this remains the best, balanced review of the issues and well worth a read for anyone interested in the details of the subject.
5. The Privacy Commissioner has
stated that if the Law Commission doesn’t recommend mandatory notifications, she would introduce a statutory code to make it so.
Rationale
The Law Commission paper referred to above lays out all the standard reasons why notifications should be mandatory. These include reduction of identity crime; reducing other harm; the “right to know”; and policy development.
I have an additional rationale, founded on my view of security.
Security professionals always start with a risk assessment and will evaluate costs vs. benefits. This assessment informs them of the priority threats that they need to address.
If the benefits are low, then the costs (both in terms of money and effort) they are willing to incur or recommend are also going to be low or none at all. The fact is that the perceived benefit to an agency from protecting people’s personal information is very low. This is the core reason why agencies put in so little money and effort to protect it.
The answer is to increase the perceived benefits by imposing an external cost, i.e. mandatory notification when the personal information of people they hold is lost, stolen or inappropriately accessed. That’s why I favour mandatory notifications over voluntary.
Not a silver bullet
In another blog post in 2007, I had pointed to a US study and concluded that “there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low.”
The Law Commission’s Issue Paper references a Canadian white paper that says “There is little evidence to date that mandatory breach notification laws have led to a reduction of data breach incidents.”
Certainly, in our home we haven’t stop ordering Hell pizza online or given up our Telecom landline or stopped subscribing to the McKinsey Quarterly. We don’t have a choice about paying our taxes even if The Treasury losses an Inland Revenue data CD.
No wonder then that Business New Zealand CE Phil O'Reilly recently called for caution, wanting “serious justifications” before any criminal sanctions are introduced and ensuring no harm for the growth of small to medium-sized businesses.
Balanced response
We continue to remain in favour of making notifications mandatory. As we said in our submission on the Issues Paper last year, we think that this should be in two steps:
However, the success of mandatory data breach notifications depends upon getting a range of parameters right. Currently there is insufficient information about the number and scope of data breaches to provide for an effective yet balanced set of rules.
We therefore recommend that mandatory notification of all data breaches be to the Privacy Commissioner only for an initial period of one to two years. This will then provide a sound basis for developing a mandatory set of rules to apply to mandatory public notifications thereafter.
A two-step introduction process should also be able to provide answers for all the important questions around notification rules and parameters raised in Chapter 16 of the Law Commission's issues paper.
Vikram Kumar
Mon, 16 May 2011