Privacy Commissioner labels 2012 the year of the data breach

A clutch of serious events, particularly to do with unintentional release of government-held information, have led privacy commissioner Marie Shroff to label 2012 "the year of the data breach", in her annual report released yesterday.

The report singles out the ACC's unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development's kiosks.

In private industry, the customer can always react to a provider's inadequate privacy practices by moving their business to a competitor, but with government this is not possible, the commissioner points out. This has led to calls for formal powers and sanctions against such breaches.

"It is clear that people believe regulators should have -- and use -- the ability to call agencies to heel," Shroff says. "For instance in our public opinion survey earlier this year, 97 percent of respondents said that the privacy commissioner should have the power to order an agency to comply with the law, and 88 percent said they wanted businesses punished if they misuse people's personal information."

Personal information is increasingly recognised as an "asset class" in a business, says Shroff in the annual report, and its proper handling is of importance to the economy, particularly where cross-border movement of data is concerned.

"For instance, the World Economic Forum refers to the evidence of an emerging asset class of personal data, but also goes on to note the lack of rules, norms and frameworks that, by contrast, exist for other types of assets," Shroff says.

"We may have the valued goods in the form of personal data -- and the means of distribution through online networks -- but we have sometimes lacked cross-border enforcement mechanisms and regulatory solutions for when things go wrong."

Amendments to the Privacy Act to offer better cross-border protection were put in place in 2010, and the commissioner records that European Union authorities are as a result in the final stages of declaring New Zealand privacy legislation "adequate" for participation in trade with Europe. The adequacy finding is expected before the end of the year.

Privacy risk management should be recognised as a responsibility for the whole of the company, Shroff says.

The report flags cloud computing as an area of progress and the commissioner favourably mentions the Cloud Computing Code of Practice developed under the guidance of the Institute of IT Professionals.

The commissioner's office has been working on a guide for cloud computing targeted at SMEs and expect to be able to make this freely available online shortly.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityprivacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts