EQC security botch-up creates 'dismay'
An EQC botch-up forced the under pressure government department to apologise to 10,000 Christchurch households after a staff member accidentally distributed sensitive private information.
The breach yesterday by a senior Earthquake Commission manager meant potentially damaging information belonging to 9700 claimants was sent to a Christchurch businessman.
The man is a former EQC employee who is now running his own business.
He declined to speak to The Press but it is understood he was appalled by the slip.
EQC said the man had signed a statutory declaration promising he would delete the information and not disseminate it.
EQC boss Ian Simpson told a quickly called press conference in Wellington yesterday he decided to front on the breach immediately because of other recent government department privacy breaches.
He confirmed a staff member sent out an email meant for EQC only, but the auto-complete function in the email accidentally filled in a third party's address.
The email included an attachment with 9701 claimants, claim numbers and street addresses. It did not include names.
However, The Press understands the attachment did contain a lot of financial information relating to individual claims.
"I am dismayed and disappointed that this breach has occurred," Simpson said. "I apologise unreservedly that private customer information was sent to the wrong person."
Every effort would be directed at ensuring it did not happen again, he said.
The breach affected customers in the EQC Canterbury Home Repair Programme whose repairs were yet to begin, he said.
EQC would beef up procedures for encrypting and securely accessing sensitive data and rules for using email to send sensitive documents.
"We will commission an independent review of the breach and take steps from that review to ensure this doesn't happen again."
Affected clients would be contacted from early next week, Simpson said.
The staff member responsible for accidentally sending out the email would not be punished, Simpson said.
Earthquake Recovery Minister Gerry Brownlee had been informed of the breach and was pleased the EQC was stepping forward publicly so soon.
After the press conference Simpson said the apology was delivered in Wellington, not Christchurch, because he and every member of the leadership team were there for a board meeting and "so it was appropriate to hold it here".
Privacy Commissioner Marie Shroff said public sector agencies needed to have stronger controls in place when handling spreadsheets of personal information.
"The EQC breach is yet another incident involving inadvertent disclosure of large amounts of personal information on a spreadsheet," Shroff said. "We hope that agencies are starting to realise that they should have stronger controls in place to help to prevent these types of mistakes.
"There are real people behind the information that government holds, and we all have the right to expect that our information will be strongly protected."