Employer monitoring or hacking?

Remember the recent reports of employers asking employees (and job applicants) for Facebook passwords? While such a tactic may be overbearing, a local incident reported in a recent Privacy Commissioner Case Note went even further.

In the case, Case note 229558 [2012] NZ PrivCmr 1 : Employer uses monitoring software to collect personal information, the employer installed monitoring software to record the employee’s activities on his work computer. That in itself is not particularly unusual, and is often provided for in employment contracts.

However, the employer also used a keylogger to record the employee’s password for his personal webmail. The employer then accessed the webmail and copied a number of emails. The Commisioner said:

When the employer accessed the man’s personal email account, it was able to obtain information in relation to a significant number of emails sent over a period of several years.

This went well beyond any information that may have been relevant to the employment investigation. We formed the view that the employer had breached principle 1, because the collection was unnecessary and disproportionate to the employer’s needs.

What about employment policies and the like? In this case, the employment contract did specify that computer use could be monitored. However the Commissioner said:

We were also satisfied that the employer’s policies were not explicit enough to make an employee aware that if they entered a password into the computer, the employer would be able to use this information to collect further information not held on the work computer. We formed the view that this also breached principle 3.

There would need to be a high level of detail and notice before an employer could legitimately install a keylogger to secretly capture the password to a personal email account, and then unilaterally access that personal account and download emails.

In the end, the matter settled at mediation. Reading between the lines, the case probably involved the not uncommon situation of unauthorised copying of work information, and the employer may have felt justified in doing what he/she did.

However, employers must be very careful about attempting to “hack” employee’s personal email accounts not held on company equipment (even where access is made via a work computer). Besides the potential for breaching the Privacy Act, there is also the risk of criminal prosecution for accessing a computer system without authorisation (s 252 of the Crimes Act). This will not be an issue when it is the company’s own computer system, but it may well be an issue when accessing another computer system, such as a web-based email account.

LawComm recommends data breach notification

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

Sony’s privacy breach

Details are continuing to emerge about Sony’s massive security breach, which has resulted in personal information of up to 77 million users, including New Zealanders, being stolen. It is unclear how much of the data was encrypted, although Sony has said that credit card information was encrypted.

The first lawsuits are already flying, and it has lost as much as 5% of its share price:

Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.

“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.

The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.

What protection is offered to New Zealanders affected by the breach? New Zealand’s privacy protection stacks up relatively well, as Auckland University Senior Lecturer Gehan Gunasekara has noted. The recent EU Working Party report on New Zealand’s privacy regime is available here. As the report notes:

4) Security principle: The controller must adopt appropriate technical and organisational measures against the risks presented by the processing. Any person acting under the authority of the controller, including the person in charge of processing, must not process data except on instructions from the controller.

The Working Party considers that principle 5 (Storage and security of personal information) covers the aspects required for the security principle. This principle is based on the OECD security safeguards principle and the wording is similar to the wording of article 17(1) and (2) of the Directive in that security measures must protect against loss, access, use, modification, disclosure and misuse. Agencies must do everything reasonably within their power to prevent unauthorised access and disclosure where information is given to a processor.

The Privacy Commission has previously investigated data loss caused by insecure computer systems (though obviously not on the probably unprecedented scale of Sony’s recent data loss). The Commission cannot impose fines or damages, although a complainant (or the Commissioner) can refer matter to the Human Rights Tribunal, which does have the ability to award damages for:

(a) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose:

(b) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference:

(c) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.

Remedies are also potentially available under negligence. However, this is very unlikely to occur in New Zealand, in large part because of the difficulties in bringing class actions as in the US. It is also likely that the relevant principles under the Privacy Act do not apply to information held overseas by Sony in this case. This is unfortunate, as it means that while US citizens are able to seek compensation from Sony, New Zealanders who have suffered the same inconvenience and harm have no practical remedy (whether under the Privacy Act 1993, or tort law, or negligence). Likewise, if Sony offers compensation to users whose data has been stolen, it may be able to avoid compensating New Zealand users without (direct) detriment.

It surely must be the case that, in future years, better and more accessible remedies will be available to New Zealand citizens who suffer loss of personal information as a result of egregious security lapses by agencies holding that information.

The privacy bargain

Stephen Bell of Computerworld recently outlined his views on the privacy bargain:

Another view, which I find more persuasive, is that when we make use of a service like Facebook, we enter a commercial bargain. Something very useful is provided to us free of charge and in exchange we cede something of our private selves to the providers, to be sold for whatever they can earn.

This is also my view, as I have written about here. Interestingly, Stephen got the view of the Privacy Commissioner:

I put this to Privacy Commissioner Marie Shroff. She suggests the bargain accepters are not as numerous as I believe, and in the wake of the Facebook and Google embarrassments, privacy champions are becoming a majority.

Yet what is happening is that companies such as Facebook and Google – who arguably stand to lose the most from pushing the privacy envelope a bridge too far – are themselves becoming the leading “privacy champions”, and shaping the future of privacy expectations and regulation at the same time. For example, Google has announced it will be undertaking biennial “independent privacy reviews to keep it on the straight and narrow”.

PR stunt? Window-dressing? Possibly, though assuming not then I think it is a very good idea. But the size and reach of Google means any practical changes will affect users around the world, and shift the goalposts of expectations and norms, years in advance of any regulation. And in the meantime, users will continue to flood to social networks and other systems – many of whom will never have known a world with any different processes or expectations of privacy.

How, then, might Government-imposed regulation be seen? Stephen sums it up very well:

There is a risk that the Privacy Commissioner and her staff might then be seen as the villains, keeping us from using new technology to smooth our businesses and lives because of their legalistic obsession with an abstract value.

The evidence to hand shows the privacy bargain has been well and truly been accepted, for better or for worse. The challenge for any regulation is to be seen as adding value (for citizens) to these bargains, not getting in the way of willing parties.

Telecom database update

The Herald reports more details of the alleged privacy breach involving a Telecom database:

The scale of a Telecom security breach is becoming apparent with hundreds of thousands of customers at risk of having had their personal details searched.

Sales staff working for commercial rival Slingshot have told the Herald on Sunday they would use Telecom’s Wireline database more than a thousand times on some days.

The Privacy Commissioner’s office has also announced an investigation:

“At this early stage we understand from Telecom that the security breach related to the login details for one Telecom dealer and that login has since been deactivated,” said Ms Evans.

“We will need to investigate further to find out how this happened and whether Telecom needs to make any improvements to its data security practices to adequately protect customer information.”

A key question is how can one login be used sometimes more than than a thousand times a day, over a multi-year period, without being detected?

A criminal investigation is also likely. Possible charges for improperly accessing a database include:

For criminal charges to stick, there must be the necessary criminal intent. A staff member who was told to use a database, and innocently did so with no idea that their access was not authorised, cannot be liable. Knowledge of improper access, or “reckless disregard”, is key.

The Privacy Commissioner’s office has also warned against the use of confidentiality agreements as “window dressing” for proper privacy protection. A confidentiality agreement cannot absolve third-party liability, but most of them do contain indemnity clauses, which can allow full (or nearly full) recovery of all losses and costs arising from a breach in appropriate circumstances.

Telecom database access privacy concerns

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.