Last week, Privacy Commissioner Marie Shroff issued a statement saying there was a good case for legislating on data-breach disclosure.
That’s great news. Computerworld has been pushing for a compulsory disclosure regime since early last year and that certainly seems to be the way many other countries are heading after California introduced its law a few years back.
However, at this stage, Shroff is only targeting disclosure by government agencies.
Given that a review by her office of government data-matching security turned up instances of data being shared on CDs that were neither encrypted nor password-protected, that’s clearly necessary.
Considering the many examples, from all around the world, of private data being lost or exposed that we have published, it is almost beyond belief that government agencies could still be exchanging data in this way.
But, what about the private sector? Private organisations hold as much if not more sensitive data on individuals as government — why should they not be included in a compulsory disclosure regime as well?
Will we have one rule for public health organisations, for instance, that will force disclosure of data breaches and another that will allow private health providers to sweep any such incidents under the rug?
And what about your bank, your insurance company, your dodgy finance company, your telecommunications provider, your retailers and so on?
All of these organisations hold information on individuals that is private and that if disclosed could enable identity theft and fraud.
I don’t believe that these organisations are any better at protecting data than government agencies. Given the resource constraints and tight margins many work under, breaches could even be more likely.
The Privacy Commissioner is taking a measured approach to implementing data-breach rules, but any move to make data-breach disclosure mandatory in government should be quickly matched with a compulsory regime for the private sector.
Organisations that hold private information on trust have as much responsibility as organisations that hold money on trust — and when it comes to money, we regulate and legislate willingly enough.
And then there is the issue of information held on New Zealanders overseas. This isn’t just our Australian-owned banks, but increasingly companies like Google or Facebook or any email or managed email service provider, just to name a few examples.
The original California law required disclosure when Californian citizens were affected, no matter where the data breach occurred in the US.
Ideally, a New Zealand law would attempt to replicate this and we should head towards a world where reciprocal agreements exist for information protection just as they do for the protection to tax revenue or intellectual property.