Data loss & disclosure
Yet another survey, this time of New Zealand firms, confirms that data loss will be the number one most important issue in IT for the near future. As reported by Computerworld, “58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance”.
Interestingly, the Australia/New Zealand rate is above the US and global rates. This is despite New Zealand having very few reported incidents, while reported incidents in the UK and US seem to have reached near-epidemic levels. As the article reports, maybe this is because they are kept out of the press.
It is true that other countries have (or are implementing) mandatory data loss notification laws. Locally, the idea has been proposed by the Privacy Commissioner, which says there is a “good case” for such a law. However, this could be many years away. The issue is not currently on the Law Commission’s project list, which would probably be the first step to introducing such a law, and it is fair to say the Government has more important things to worry about at present.
It is inevitable, however, that we will implement such a law, and when we do we are likely to look to the UK as a model. The UK and EU have been particularly active in the area of data protection (for good reason). Last year, the UK passed a “reckless data loss law“, allowing their Data Protection Commissioner to impose fines on people or companies who:
“knew or ought to have known that there was a risk that [data loss] would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the [data loss].”
This could even extend to personal liablity for a reckless sysadmin. Whether or not this is a good idea remains to be seen, as the law has been passed but is not yet in force. And unfortunately for victims, the UK Government gets to pocket the fine.
In the meantime, in this country the Privacy Commission should be the first stop for personal data loss issues. Beyond that, it is very much a matter of being careful with who you entrust your personal information to – bearing in mind that whoever you give it to will almost certainly involve third party contractor access at some level.
