LawComm recommends data breach notification

The Law Commission has released its fourth and final report on privacy law. One of its key recommendations is data breach notification, or as the Commission puts it:

… notification should be mandatory in cases where notification will enable people to take steps to mitigate a risk of significant harm, or where the breach is a serious one (for example, because the information is particularly sensitive).

Notification should be made to the individual whose information has been compromised, and also to the Office of the Privacy Commissioner.

This would be a major – and welcome – change from the status quo, which is that agencies (e.g. companies holding personal information) are generally under no legal obligation (unless such obligation is assumed) to report data breaches. Sir Geoffrey Palmer commented on the situation last year:

Another subject on which we are contemplating some changes is data breach notification… Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

(The Law Commission’s issues paper discussing data loss is here). The recommendation comes at the same time as the EU is grappling with imposing a uniform notification regime across member states.

A data breach notification regime, while imposing some compliance cost on organisations, is a necessary thing in today’s world.

Recently I had my own example of when such a regime might have been useful, when my bank informed me that I had “suspicious activity” on my credit card – a large transaction from Portugal. What was curious was that I had only had that card for a few months, and had not used it much at all (and not online at all). The card could have been physically copied somehow, but if one of the few merchants who I had used it with had lost the data via hacking, there is no obligation for them to advise me of the loss – nor any other information that may have been lost with it.

The example of credit cards was specifically mentioned by Law Commissioner Professor John Burrows in announcing the recommendation:

“People have a right to know if their information has been compromised in a serious way”, said Law Commissioner Professor John Burrows. “Then they can take measures to protect themselves (such as cancelling credit cards), or can at least prepare themselves for any consequences of the breach.”

It will be interesting to see how the details of such a regime are eventually formulated.

Sony’s privacy breach

Details are continuing to emerge about Sony’s massive security breach, which has resulted in personal information of up to 77 million users, including New Zealanders, being stolen. It is unclear how much of the data was encrypted, although Sony has said that credit card information was encrypted.

The first lawsuits are already flying, and it has lost as much as 5% of its share price:

Late on Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.

“This suit seeks to redress Sony’s failure to adequately provide service to PlayStation consoles and PlayStation Network,” the lawyers for the plaintiff said in a court filing.

The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.

What protection is offered to New Zealanders affected by the breach? New Zealand’s privacy protection stacks up relatively well, as Auckland University Senior Lecturer Gehan Gunasekara has noted. The recent EU Working Party report on New Zealand’s privacy regime is available here. As the report notes:

4) Security principle: The controller must adopt appropriate technical and organisational measures against the risks presented by the processing. Any person acting under the authority of the controller, including the person in charge of processing, must not process data except on instructions from the controller.

The Working Party considers that principle 5 (Storage and security of personal information) covers the aspects required for the security principle. This principle is based on the OECD security safeguards principle and the wording is similar to the wording of article 17(1) and (2) of the Directive in that security measures must protect against loss, access, use, modification, disclosure and misuse. Agencies must do everything reasonably within their power to prevent unauthorised access and disclosure where information is given to a processor.

The Privacy Commission has previously investigated data loss caused by insecure computer systems (though obviously not on the probably unprecedented scale of Sony’s recent data loss). The Commission cannot impose fines or damages, although a complainant (or the Commissioner) can refer matter to the Human Rights Tribunal, which does have the ability to award damages for:

(a) pecuniary loss suffered as a result of, and expenses reasonably incurred by the aggrieved individual for the purpose of, the transaction or activity out of which the interference arose:

(b) loss of any benefit, whether or not of a monetary kind, which the aggrieved individual might reasonably have been expected to obtain but for the interference:

(c) humiliation, loss of dignity, and injury to the feelings of the aggrieved individual.

Remedies are also potentially available under negligence. However, this is very unlikely to occur in New Zealand, in large part because of the difficulties in bringing class actions as in the US. It is also likely that the relevant principles under the Privacy Act do not apply to information held overseas by Sony in this case. This is unfortunate, as it means that while US citizens are able to seek compensation from Sony, New Zealanders who have suffered the same inconvenience and harm have no practical remedy (whether under the Privacy Act 1993, or tort law, or negligence). Likewise, if Sony offers compensation to users whose data has been stolen, it may be able to avoid compensating New Zealand users without (direct) detriment.

It surely must be the case that, in future years, better and more accessible remedies will be available to New Zealand citizens who suffer loss of personal information as a result of egregious security lapses by agencies holding that information.

Telecom database access privacy concerns

NZPA reports:

A marketing company working for Telecom’s rival, Slingshot, has been accused of accessing the telco’s Wireline database, which contains personal customer information.

Telecom Retail CEO Alan Gourdie said the telco was investigating the accusation of potentially fraudulently activity, detailed in today’s Herald on Sunday.

“If our investigation confirms unauthorised access we will pursue all appropriate action.”

Access to Telecom Retail’s Wireline information requires passwords and pin numbers and should only be accessed by authorised personnel, he said.

While the initial investigation will be on the marketing company’s conduct (and perhaps into possible criminal conduct on the part of several parties), questions must also be asked of Telecom – which Privacy Commissioner Marie Shroff has said she will do.

Regardless of whether a security breach has occurred, even if by the marketing company having acted unlawfully (and neither of these facts are yet established), there are obligations on Telecom (and other “agencies” making data available to third parties) to take reasonable measures to safeguard personal information. This is not limited to preventing unauthorised disclosure, but includes preventing unauthorised access and use. It can also extend to ensuring that systems are properly designed to protect personal information.

The reports do not say how long the alleged improper access went on, but does report that it was “common practice” by multiple staff (now former staff), which suggests a long time frame. The reports indicate that the access was via a single login (now deactivated) of a legitimate user. Questions include:

  • Were user logins (and failed logins) recorded?
  • If so, were they ever audited and how?
  • And if so, why was the improper use not detected?
  • Did the database allow multiple simultaneous logins, and if so was this intended / appropriate?
  • What password expiry regime (if any) was used for this database?
  • What restrictions (if any) were placed on legitimate users to prevent them from disclosing login information?
  • Were there any user warnings / confirmation processes as to appropriate use built into the database?
  • Was only the minimum amount of personal information necessary made available in Wireline in the first place?
  • Are there any other logins for this database, and other Telecom databases, showing unusual activity, which have not been adequately investigated?

Companies can and frequently do provide third-party access to their customer data. While proper contracts can ensure the commercial and legal aspects of these arrangements are appropriately documented, companies holding personal information must still be aware of their inherent obligations under the Privacy Act.

Website security privacy complaint

A recent case note issued by the Privacy Commissioner is a reminder that insecure website design is more than just a programming and credit card issue, but can result in potential privacy complaints. Credit card information was not involved in this particular incident – it was personal travel booking details instead:

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website URL link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The case note says that the travel company in question contacted its website design company, who fixed the problem very quickly.

Insecure URLs, or more specifically insecure query strings, are a prime cause of this type of disclosure. However, they are fundamental and somewhat trivial for competent web-designers to secure. In this case, it sounds as if the travel company acted responsibly, and was probably not aware of the flaw, instead relying on its website designer to build a reasonably secure site. If the travel company did suffer loss as a result of poor (insecure) website design, they may be able to seek compensation from the designer – this will depend on the contract between the travel company and the website designer. The travel company could also limit its liability to customers with an appropriate disclaimer (which could take into account that the website was designed by another firm), although it is not possible to exclude all liability in this manner.

Another, often overlooked, way for firms to gain some protection from these types of incidents is technology liability insurance offered by some insurers – for example, Lumley Insurance’s Technology Liability Insurance.

Government getting better at not losing data

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

Portable storage devices & data loss

The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:

  1. Assess the risks associated with using PSDs in your organisation.
  2. Introduce and actively communicate policies that set out how staff may use PSDs.
  3. Minimise the use of personal PSDs in the workplace.
  4. Introduce software or hardware controls (or both) to restrict use of PSDs.
  5. Actively monitor the use of PSDs for compliance with policies.

A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.

In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:

“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”

Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.