Privacy Commissioner Marie Shroff will today announce a draft guide for the management of data breaches in business and government, in what could be the first step towards introducing data breach disclosure laws to New Zealand.
The guidelines are not mandatory, however. Shroff says she may consider whether breach notification should be a mandatory part of New Zealand law, as is the case in parts of North America and has been recommended in Canada.
The guidelines say data breaches should be managed in four stages: containing and assessing the breach; evaluating the risks; considering or undertaking notification; and putting in place future prevention measures.
“Be sure to take each situation seriously and move immediately to investigate the potential breach,” the guidelines say. “Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.”
In May, Computerworld conducted a snap poll of IT executives attending an IT security briefing in Auckland. That poll showed overwhelming support for data breach disclosure laws.
“Notifying individuals that their sensitive personal information has been disclosed enables them to take steps to prevent misuse of their details,” Shroff says.
“We recognise that not all breaches of personal information warrant notification. For example, there would be little point in notifying each individual on an address database that was accidentally sent to a trusted mail house and then safely retrieved.
“The situation would obviously be quite different if the database included customer credit cards numbers and it was stolen, or a disc of the list was lost.”
However, data breach laws have proven a severe embarrassment for many businesses in the US as more and more breaches, now affecting millions of people, have emerged.
At a June forum organised by Auckland-based security firm Security-assessment.com, solicitor Michael Wigley said such laws should be part of the Privacy Act, but were also different in being prescriptive rather than “principle-based”.
“Boards know they should protect their IP and brands but don’t do as much as they should,” Wigley said, describing most of the current “accepted use” policies he had seen as “shit”.
“They don’t work and that’s a strong indicator that all things are not well,” he said.
Security-assessment.com founder Peter Benson said data breaches are a risk and compliance issue and need to be managed from the top, rather than just by IT.
“Law creates accountability,” he said.
The new guidelines recommend direct notification, by telephone, email or post, as the most appropriate means of communication of a data breach.
However, they also recognise these might not be the best means, or an agency might not hold contact details for affected individuals.
“In these circumstances, public notification might be appropriate (weighed against the risks of alerting the person in possession of the information and/or further breaching people’s privacy),” the guidelines say.
Thirty-four US states have mandatory breach notification laws and parliamentary committees recently recommended these in Canada and the United Kingdom. The New Zealand guidelines are modelled on Canada’s.