The Privacy Commissioner’s announcement of data-breach guidelines last Monday was greeted positively by both government and industry groups. However, the private sector is still pondering the implications. Computerworld canvassed a variety of opinions. Here are the responses:
The State Services Commission
The State Services Commission (SSC) spokesman, Jason Ryan, says the SSC welcomes the Privacy Commissioner’s proposals for addressing privacy breaches.
“The increasing use of the internet has seen a consequent increase in people’s concerns about protecting their privacy and having guarantees about the security of their information, and these concerns need to be addressed,” he says.
“There are real benefits from the Office of the Privacy Commissioner developing these guidelines and providing clarity around the responsibilities of the holders of this type of information. The SSC encourages government agencies to engage in the consultation process, to develop guidelines that will help strengthen trust in the State Services.”
Spokesman Paul Brislen says Vodafone is unable to comment at this time.
IBM’s spokeswoman, Jacquelene Hopwell, says, “[IBM is] reviewing the draft guidelines, therefore it would not be appropriate for us to discuss and/or comment on them at this time.”
“NZ Post has nothing to say on this, at this stage,” says spokeswoman Fiona Mayo.
ASB was unable to respond by Computerworld’s deadline.
Auckland City Council
Auckland City Council’s CIO, Ian Rae, says the guidelines are not dissimilar to the council's own thinking on the protection and custodianship of personal information.
“Consequently, these guidelines will be a useful tool for us to measure our practices against, and identify if there are any areas for improvement,” he says.
“In the local government industry, there has always been a high awareness of the need to protect personal information. Our efforts to date have been primarily in the area of reducing the chance of a breach occurring. We have numerous processes in place, across many areas of the council’s operations – for example, the call centre, front-of-house operations, the internet – to manage the risk of a breach occurring.”
Peter Benson, chief executive of information security consultancy Security-Assessment.com, says the guidelines go some way towards both creating accountability, and raising awareness of agency accountability and responsibilities, but are only a first step.
“Hopefully, this is a good first step that will eventuate in a measured stride towards good legislation that suits the balancing of agency business-requirements and the privacy rights of individuals,” he says.
“I am pleased that the Privacy Commissioner did not leap head-first into legislation as this is an area that requires input from all sectors of New Zealand, to make sure that we end up with good legislation. It is sometimes all too easy to over-react to public issues with draconian or overly liberal legislation, and the issues raised by this topic need a level of careful study.
“I am seriously looking forward to the outcome of submissions on this topic, and would encourage vigorous debate by the public and agencies, as to both the validation of the guidelines and towards where we go with the next step. My biggest concern around the guidelines is that they are very open to interpretation and, as such, each agency will still be apt to react in its own fashion.
“I certainly don’t expect there will be a flurry of disclosures as a result of the publication of these guidelines. And I am sure that a lot of agencies will need to get their heads around the potential implications of the guidelines.”
Benson is pleased about the increased focus on “reasonable” precautions. However, he adds that these are still not clearly defined.
“Certainly, there have been a number of good ‘de facto’ standards that have emerged over the last few years, including the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), and the Code of Practice for Information Security Management (ISO/IEC 17799 /27001). However, the adoption of these on a voluntary basis has been somewhat sporadic and haphazard,” he says.
“On the up-side however, we are seeing more and more companies adopting these. As before though, I suspect, under the current environment, and even since the publication of these guidelines, either a class-action or a number of legal case studies will be required to qualify what is acceptable or reasonable practice, both in terms of protection and notification of information breaches.”
Benson says the Office of the Information and Privacy Commissioner for British Columbia helped define what is reasonable here, in relation to patient records last year, saying: “The reasonableness of security measures and their implementation is measured by whether they are objectively diligent and prudent in all of the circumstances. Depending on the situation however, what is ‘reasonable’ may signify a very high level of rigour.”
“The Commissioner also indicated that costs should not be the determining factor when assessing the adequacy of security,” Benson says. “This is a great stance for a Privacy Commission to take and indicates a high degree of leadership.”
Benson says a code of practice for specific information-type holders, or guidelines based on industry, should be developed to set a level of “reasonable expectation”.
“We have really yet to see specific guidelines in this country which take the high-level principles and guidelines and look at applicability to specific areas of interest,” he says.
Benson says prevention is probably the most important aspect of privacy and deserves special mention. “Prevention of loss through good policy, procedures and protection of systems will inevitably be better for agencies than having to deal with disclosure of an incident, and is the cornerstone of information security and privacy protection.”