Privacy Commissioner labels 2012 the year of the data breach

A clutch of serious events, particularly to do with unintentional release of government-held information, have led privacy commissioner Marie Shroff to label 2012 "the year of the data breach", in her annual report released yesterday.

The report singles out the ACC's unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development's kiosks.

In private industry, the customer can always react to a provider's inadequate privacy practices by moving their business to a competitor, but with government this is not possible, the commissioner points out. This has led to calls for formal powers and sanctions against such breaches.

"It is clear that people believe regulators should have -- and use -- the ability to call agencies to heel," Shroff says. "For instance in our public opinion survey earlier this year, 97 percent of respondents said that the privacy commissioner should have the power to order an agency to comply with the law, and 88 percent said they wanted businesses punished if they misuse people's personal information."

Personal information is increasingly recognised as an "asset class" in a business, says Shroff in the annual report, and its proper handling is of importance to the economy, particularly where cross-border movement of data is concerned.

"For instance, the World Economic Forum refers to the evidence of an emerging asset class of personal data, but also goes on to note the lack of rules, norms and frameworks that, by contrast, exist for other types of assets," Shroff says.

"We may have the valued goods in the form of personal data -- and the means of distribution through online networks -- but we have sometimes lacked cross-border enforcement mechanisms and regulatory solutions for when things go wrong."

Amendments to the Privacy Act to offer better cross-border protection were put in place in 2010, and the commissioner records that European Union authorities are as a result in the final stages of declaring New Zealand privacy legislation "adequate" for participation in trade with Europe. The adequacy finding is expected before the end of the year.

Privacy risk management should be recognised as a responsibility for the whole of the company, Shroff says.

The report flags cloud computing as an area of progress and the commissioner favourably mentions the Cloud Computing Code of Practice developed under the guidance of the Institute of IT Professionals.

The commissioner's office has been working on a guide for cloud computing targeted at SMEs and expect to be able to make this freely available online shortly.

Tags securityprivacy

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-420

In partnership, Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-420 systems.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.