Row brewing over privacy 'crime'

22:02, May 08 2011

A row is brewing over whether businesses should face criminal sanctions and fines if they fail to notify people of data breaches.

The privacy commissioner is calling for notification of data breaches to be mandatory and for concealment to be made a crime. But Business New Zealand says criminal penalties would be heavy-handed and unjustified.

The Law Commission is reviewing the Privacy Act and is due to decide next month whether data breach notifications should be compulsory, a move also supported by the Law Society.

Data breaches are in the spotlight after hackers accessed personal and potentially credit card details tied to more than 70 million Sony online gaming accounts, including more than 235,000 New Zealand accounts.

Sony took a week to advise people of the breaches, prompting Australia's federal government to warn that disclosure of data breaches will become compulsory.

New Zealand's Privacy Commissioner, Marie Shroff, who issued voluntary guidelines in 2008, said organisations should now be required to notify people of data breaches in cases where the breach created risk and notification would help reduce that risk.


Businesses and other organisations that "wilfully or recklessly" failed to notify people of breaches should face criminal sanctions and punitive damages.

"You need to have a sanction there if the scheme is going to be effective. You may never have to use that sanction."

She would consider introducing a statutory code making notification mandatory if the Law Commission did not recommend a law change.

Business New Zealand chief executive Phil O'Reilly said it was "disturbing" that the commissioner had leapt from voluntary guidelines to criminal sanctions "without any serious justification".

"That is a very heavy-duty thing to do. Have they done anything to demonstrate that this happens a lot in New Zealand? If they can show some study that demonstrates that this is a problem and that there are serial offenders and the only option is criminal sanctions ... that would be interesting."

He said Ms Shroff should explore other options such as education or self-regulatory codes before introducing legal penalties.

"From what I can see, they have not engaged with mainstream business very effectively."

He would be surprised if serious data breaches were common in New Zealand, and said businesses already had a big incentive to not to cover them up.

"The risks to their corporate reputations are huge."

Mr O'Reilly said any scheme would need to ensure compliance did not harm the growth of small to medium-sized businesses – a point that had been raised by the Law Society.

Ms Shroff said organisations had begun to notify her office of breaches.

"We now know breaches are happening at a small level, with individual people, across to huge breaches where discs with taxpayers' details on them get lost.

"We don't have an exact idea but we're reasonably sure that there's a lot more happening."

Whether a breach created risk would depend on the situation, she said.

"If you've got a list of women who have domestic violence orders and their names and addresses and telephone numbers, there you've got what is apparently non-sensitive information being highly risky."

Breaches of sensitive data such as medical information, or credit card details as in the Sony case, would "by definition" create risk for people.

The 2008 guidelines had been "broadly accepted" by industry and some businesses then had been supportive of a mandatory scheme with sanctions. Requiring notification only if there was risk would avoid "over-notification" and limit compliance costs.

The commissioner suggested organisations be required to notify it of breaches affecting 50 or more individuals and said it should have the power to order notifications. Notifications should suggest steps people could take to protect themselves, and be issued promptly, though they could be delayed to avoid compromising law enforcement.

The Dominion Post