Today’s announcement by Privacy Commissioner Marie Shroff of official data breach guidelines is to be welcomed, but the guidelines are unlikely to be enough on their own to ensure individuals are protected from corporate and government data losses.
There is a dirty little secret in IT that is hinted at often, but very seldom addressed. That secret is that data breaches happen all the time. The arrival of data breach disclosure laws in the US exposed that secret there, but most in New Zealand still do not realise how vulnerable their personal data really is.
Let’s be clear here, we are not just talking about sophisticated hacking. There are untold ways in which data breaches can occur and most of these are relatively mundane. Some of them don't even involve IT. One incident this year in Australia involved a folder left on a train.
Then there are the insiders. Just this week a former Police telephonist was accused of misusing computer systems to access the National Intelligence Database, a massive database holding information on many New Zealanders.
Now, leaving aside how and why a telephonist could possibly have the authority to access such a system, let’s just admit that we have a big problem.
The people that get caught are just a fraction of the total doing this stuff — and once again it is not just an IT problem. In another age, that telephonist might have been looking through paper files.
And then there are the lost and stolen laptops. Once again, it happens all the time. They are stolen out of cars and hotel rooms. They are lost in alleyways after big nights out. And how many contain sensitive data? How many of these are encrypted?
Just this April Computerworld reported on 106 laptops that could not be accounted for by the Inland Revenue Department. The content of these, it seems, was not encrypted, but protected by a very slippery beast called “policy”.
A lot of the focus in these discussions is also on the big end of town. But what about small business? As we move towards an information economy, even micro businesses will hold individual data that is highly sensitive. I’m not going to suggest that small business are any less secure than corporates, but I will say that security in the SME sector is a huge unknown and will probably be highly variable.
Now the IRD laptops could just be a case of bad asset management. Who really knows? But one way or the other it is pretty clear that a voluntary data breach code will not cut the mustard. There is simply too much at stake for companies and their employees for such a code to deliver the results that need to be delivered.
The new guidance is very welcome because it will generate debate and discussion (submissions on the draft guidelines close on September 28) and naturally, we’ll be asking organisations whether they plan to comply with it — and publishing those results. But, as Auckland-based security consultant Peter Benson said earlier this year: “Law creates accountability.”