Privacy issues not for patching
Well, this is just peachy. Another privacy breach, this time issuing from one of the least-fretted-about places. The Ministry of Culture and Heritage hangs its head. It accidentally but amateurishly betrayed the trust of more than 300 people who had provided passport, driving licence and birth certificate details, in the hope of being selected for a commemorative sailing adventure.
That it could happen to such a seemingly benign repository should broaden the perimeters of our sense of insecurity. But then, we have long passed the stage of fair warning that not every agency that imperiously and impatiently sticks its hand out for our personal information is capable of storing it safely.
Furthermore, with chastening frequency, these breaches are not the result of expert-versus-expert battles. Just as often it turns out to be forehead-slapping stuff.
The litany of recent failures includes Treasury’s inability to keep headline Budget information secure; the data breach exposing information from up to 112,000 Air New Zealand Airpoints customers; and the month-long data breach of the Kathmandu website.
Things even get as low-tech as the Canterbury West Coast DHB staffer who ‘‘accidentally dropped’’ about 300 people’s names and identity numbers, and at least 15 patients’ private health information, to the four winds in a Christchurch suburb. And the NZ Transport Agency’s acknowledgment of 82 data breaches, among which was the charming case of the computer drive containing the names, email addresses and photos of more than 1100 staff members, lost by a courier company.
The initial impression is that this latest failure came about through the Culture Ministry’s use of
an as-yet-unidentified third-party provider and the inept decision to use a standard Word Press website which is not an acceptable repository for highly confidential information. This sounds alarmingly like a beginner’s mistake that wasn’t subjected to more expert scrutiny. The upshot is that 300 victims now face much more than the need to obtain new documents. They must live with corrosive worry that their identities might be misappropriated for fraud.
So it’s a very big deal. And the outcome of the swiftly-announced review needs to be more useful than a report of chastening reproach, met by purred reassurances and perhaps a sacrificially rolling head dispatched in the name of accountability.
Resolutely inward-looking focuses no longer suffice. What we need, and must demand, is a scale of inquiry that goes beyond a ‘‘nobody do that again’’ warning. The real and substantive issue here is whether we’re deluding ourselves that the information security standards being required across the board are sufficient in themselves, or sufficiently resourced and policed.
Our privacy laws aren’t preserved in amber. They’re under review now, with legislation before Parliament, and if the abject failures recorded this year alone provide a helpful lens through which to scrutinise the scope and incisiveness of the proposed changes, then that’s something.
As things stand, however, the bill, which has had its second reading, is well advanced and although it contains some unassailably good stuff, like a tougher regime of mandatory reporting of breaches that pose risk or harm to people and tighter rules on agencies sharing information with overseas firms, there are wider issues upon which we still await reassurance.
What we need ... is a scale of inquiry that goes beyond a ‘‘nobody do that again’’ warning.