Law and technology

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:

1. Assess the risks associated with using PSDs in your organisation.
2. Introduce and actively communicate policies that set out how staff may use PSDs.
3. Minimise the use of personal PSDs in the workplace.
4. Introduce software or hardware controls (or both) to restrict use of PSDs.
5. Actively monitor the use of PSDs for compliance with policies.

A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.

In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:

“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”

Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.

Yet another survey, this time of New Zealand firms, confirms that data loss will be the number one most important issue in IT for the near future. As reported by Computerworld, “58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance”.

Interestingly, the Australia/New Zealand rate is above the US and global rates. This is despite New Zealand having very few reported incidents, while reported incidents in the UK and US seem to have reached near-epidemic levels. As the article reports, maybe this is because they are kept out of the press.

It is true that other countries have (or are implementing) mandatory data loss notification laws. Locally, the idea has been proposed by the Privacy Commissioner, which says there is a “good case” for such a law. However, this could be many years away. The issue is not currently on the Law Commission’s project list, which would probably be the first step to introducing such a law, and it is fair to say the Government has more important things to worry about at present.

It is inevitable, however, that we will implement such a law, and when we do we are likely to look to the UK as a model. The UK and EU have been particularly active in the area of data protection (for good reason). Last year, the UK passed a “reckless data loss law“, allowing their Data Protection Commissioner to impose fines on people or companies who:

“knew or ought to have known that there was a risk that [data loss] would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the [data loss].”

This could even extend to personal liablity for a reckless sysadmin. Whether or not this is a good idea remains to be seen, as the law has been passed but is not yet in force. And unfortunately for victims, the UK Government gets to pocket the fine.

In the meantime, in this country the Privacy Commission should be the first stop for personal data loss issues. Beyond that, it is very much a matter of being careful with who you entrust your personal information to – bearing in mind that whoever you give it to will almost certainly involve third party contractor access at some level.