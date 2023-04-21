Latitude lends under the Gem by Latitude, and does personal loans for Kiwibank customers,

ANALYSIS: “Our Privacy Act has zero teeth,” says Julia Nicol from electronic payments company Worldline.

“Woeful” is the word privacy lawyer Kathryn Dalziel uses to describe the financial penalties for companies which break privacy laws, and fail to keep customer data safe.

The Office of the Privacy Commission says the absence of fines is a major tool missing from its toolbox.

After telecoms company Optus managed to allow data on 40% of Australians to be stolen in October, dubbed “the hack that woke up Australia”, Australian politicians anger ran hot.

They lifted the maximum penalty for failing to keep customers’ data secure from A$2.22 million (NZ$2.4m) to the greater of A$50m, or 30% of the adjusted turnover of the corporate body during the breach turnover period.

Australian Attorney General Mark Dreyfus, in the run-up to the increases in penalties across the Tasman said: “Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business.”

“We have nothing like that,” says Nicol. “Every now and then, they [New Zealand regulators] will whip out a $10,000 fine, which to be honest isn’t going to do much damage to these big companies holding lots of information.”

But now New Zealand has joined Australia in suffering a mega-data breach, jogging memories of calls for meaningful fines that have been ignored by politicians.

On March 16, Australian lender Latitude Financial revealed someone had used one of its employee’s login details to steal 7.9m customer records, including a million drivers' licence numbers, and over 16,000 full scans of identity documents.

That included a staggering one fifth of the entire population, because Latitude had a large lending business here under the Gem by Latitude brand, and in lending tie-ups including providing personal loans to Kiwibank customers.

The Office of the Privacy Commission says Latitude’s failure to keep data secure the largest privacy breach in this country’s history.

Crooks with the data have demanded a ransom from Latitude for its return, which Latitude says it will not pay.

The lender has been contacting the million or so Kiwis whose data it has lost, but as late as April 12, people were getting emails telling them they were among the 20% of the population who have to take steps to protect themselves from scams and identity theft.

Despite the size of the breach there have been no indications the Government is considering Australian-style fines to give more teeth to the commission.

The Privacy Act is supposed to govern how people’s private data is collected and stored, including ensuring companies like Latitude have “safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information”.

Dalziel is unsure of how New Zealand ended up so out of step with peer countries like Australia and the United Kingdom.

Just this month the UK’s information commissioner, John Edwards, fined TikTok £12.7m (NZ$24m) for illegally processing the data of 1.4 million children under 13 years old who were using its platform without parental consent.

Edwards is a New Zealander, was previously the New Zealand Privacy Commissioner. In 2018 he called for fines to be written into law of up to $1million for serious data breaches.

But nothing came of it, with Edwards’ plea suffering the same fate as the Law Commission’s suggestion in 2010 for fines of up to $500,000.

The current privacy commissioner Michael Webster shares Edwards’ view.

In a statement the commission said: “When you compare us to overseas regulators who serve the same or a similar role, we are an outlier in not having a civil financial penalty regime.”

It’s not only fines we lack here, the commission said.

”We also don’t have a civil financial penalty infringement regime like the Australians which allow for smaller penalties for more minor infringements,” it said.

Dalziel wonders whether politicians feared huge fines could kill small and medium-sized businesses.

Perhaps there was little public pressure for change. Dalziel said people seem to underestimate the importance of privacy, until theirs is breached.

It may also have been that politicians felt public shame of privacy failures was penalty enough.

“Reputation is a big issue,” Dalziel said.

That doesn’t seem to be worrying Latitude investors. The company’s share price on the Australian sharemarket has risen since its mega data breach.

Just before the data breach Latitude’s share price was A$1.20, but has since risen to A$1.29.

“The penalties are woefully inadequate,” Dalziel said.

The country may have an opportunity soon to take a fresh look at penalties as multiple pieces of digital law reform are in Parliament, or heading there.

After years of go-slow in the progress towards open banking, the Government is working on digital consumer data right laws, which will make people owners of the data held on them by the likes of banks.

At the same time, the Digital Identity Services Trust Framework bill is before Parliament.

It is intended to allow the creation of identity verification services people could sign up to which they can use to prove their identity to the likes of Latitude, without having to hand over ID documents.

That should in time mean the likes of Latitude have no reason to hold digital versions of people’s ID documents, or even record driver license numbers.

Colin Wallis, executive director at Digital Identity NZ, said this should allow for “zero-knowledge proof of identity”.

However, Wallis said changes had to take place in other laws, such as the anti-money laundering laws, which companies interpret as meaning they have to collect and hold copies of digital ID documents.

Even though there are no meaningful fines for privacy breaches, that does not mean there is no cost to privacy stuff-ups.

Companies frequently pay people in confidential deals, Dalziel said.

The commission, which has launched a joint investigation with the more powerful Office of the Australian Information Commissioner, can issue compliance orders which it costs companies to action.

And the commission has started to get complaints from people who claim Latitude has breached Privacy Code Principle 9, which says: “An organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.”

The commission can mediate financial settlements for people who have been wronged.

A complainant to the OPC, who Stuff has agreed not to name, said after closing his Gem Visa Account in 2019, he asked Latitude to delete his data.

He said it agreed to do so. Then on April 12, he received an email from Latitude.

“It turns out that they did have my details and have lost my ID via this hack,” he says. “They've either been deliberately misleading former clients, or have been grossly negligent with their data handling systems.”

Another victim is preparing to complain after getting an email the same night. About a decade ago she had applied for a loan, but decided against accepting it.

If people don’t get satisfaction from a complaint to the privacy commissioner, they can take a case to the Human Rights Tribunal, which can award compensation.

“The tribunal has said that cases at the less serious end of the spectrum will range up to $10,000, more serious cases can range from $10,000 to around $50,000, and the most serious cases will range from $50,000 upwards,” the commission said.

Nicol doubted there was much in the way of proactive policing of the Privacy Act, particularly in regard to massive warehousing of data.

While Latitude has lost 7.9m customer records, it only claims to have 2.9m current customers.

“Why do they have to keep records of it for so long?” she asked. “Why is there not some enforcement around retention?”

While Optus, Medibank and Latitude are at the big end of town, Nicol wonders about how poor privacy protection is at smaller companies.

“Last time I bought a car, they wrote my credit card number on a form, which was on a piece of paper, and put it under their desk,” she said.