New laws on protecting personal data come at a cost - is it too high and is it worth it?

By Stephen Revill, Consultant | Monday 6 August 2007

First published in The Business, NZ Herald, 3 August 2007

New Zealand business and government authorities may face a major increase in compliance costs and public relations headaches, if data-breach laws are introduced here.

Four years after the introduction of the world's first data-breach notification law in California, similar measures are now being mooted for New Zealand.

New Zealand's Privacy Commissioner Marie Shroff has asked the Law Commission to investigate legislation and says the Privacy Commission itself is studying how the issue has been tackled overseas. A push for a new law is coming from IT security specialists, who believe new laws are inevitable and we should act now.

In California the law, introduced to combat identity theft, requires public and private sector agencies to notify individuals when security breaches involving unauthorised disclosure of personal information occurs. The law is designed to provide individuals with the opportunity to take preventative or remedial measures to safeguard their personal information after a security breach has occurred. It is also intended to provide agencies with more and better incentives to secure the personal information that they do hold.

Similar laws have since been enacted in at least 26 other US states and in parts of Europe. The debate has moved Downunder in more recent times. Last August, Australia's Privacy Commissioner Karen Curtis announced that she would be recommending consideration of a mandatory reporting law for Australia and the subject has been up for debate here at forums and in the media in recent times.

At the heart of local discussion has been key questions around whether New Zealand actually needs new laws requiring the disclosure of data breaches, and if it does, what they would look like.

The question of "need" in the New Zealand context is problematic. Unlike the US we already have comprehensive privacy legislation. And there are simply not enough reliable statistics to indicate the extent to which "identity theft" is a problem here in New Zealand – although in recent years there have been several headline-catching cases.

While Marie Shroff has said that New Zealand doesn't appear to have a "huge problem" with data breaches, sectors of the IT security industry suggest it could be worse than we think. As was the case with our anti-spam legislation, we may have to act sooner rather than later or risk being out of step with the rest of the world on the issue.

There are certainly some issues about the benefits of this kind of legislation. It needs to be recognised for instance that security breach disclosure laws only deal with the consequences of a major data breach - they do not help to prevent or detect fraud. And when a major breach is publicly notified, the onus is largely on individuals to clean up the mess - an exercise that very often involves "chasing shadows". Overseas statistics indicate that the unauthorised disclosure of personal information only results in actual misuse in around 6% of cases.

In fact, commentators have warned that security breach disclosure laws may, at least in the short term, produce "undue alarm", leading to an unnecessary loss of trust in e-commerce and e-government. Others have suggested, paradoxically, that "notification fatigue" can occur over the longer term. For example, surveys indicate that well over a third of US consumers who have received notifications where data breach laws exist, take no action to protect themselves.

However even commentators sceptical of existing laws, accept that individual notification if properly managed is not in itself a bad thing and that market forces may not provide organisations with sufficient incentives to notify. Some form of mandatory reporting may well be needed.

Overseas, the debate has moved on and is now concerned more about the shape of these laws.. One issue involves defining the kind of event that will trigger the obligation to notify. Should it be where unauthorised people have "had access" to designated personal information or only where there is reason to believe that they "have acquired" that information? In some US states the threshold for disclosure has been set even higher, by only requiring an agency to notify when a security breach carries "a significant risk of identity theft or fraud".

The nature and extent of the personal information that is the subject of the breach law is also contentious . Most data-breach laws refer to the unauthorised disclosure of all or part of an individual's name in combination with other more sensitive identifying data such as a passport number, a tax ID number, a driver's licence number, an account password, or credit or debit card numbers. However some regard this approach as being too prescriptive resulting in gaps in the way the law operates.

Issues also exist around areas such as encryption standards, timeframes for notification and the impact of criminal investigations; the need to notify other agencies, such as credit bureaux, the police or the local privacy commissioner; how to notify (by email, telephone or by post).

Overseas, the method of notification has become contentious because of compliance costs. In the US a mail notification is calculated to cost $2 per individual and there can be other costs depending on type of business involved. For financial institutions there may also be costs associated with opening new accounts and issuing new credit or debit cards.

There is also the question of enforcement. In nine US states monetary penalties are prescribed. In New York state for example the court may impose a penalty of US$10 for each failure by an agency to notify, up to a maximum fine of US$150,000.

In New Zealand to date, the focus has been less on fines and more on mediating alleged violations of privacy principles. While a damages claim can be heard before the Human Rights Review Tribunal, this is very much the exception rather than the rule. So while it may be possible to explicitly provide for security breach notification as an extension to privacy principle 5 (storage and security of personal information), the incentives on agencies to comply are likely to remain low. The alternative would be to move to a separate stand-alone law similar to the United States approach. This would represent a departure from the holistic, principle-based approach to privacy law matters that has been our norm up to now. However such a move may signal that a security breach notification law is as much about raising the stakes for the maintenance of data security as it is about giving individuals redress over actual or threatened violations of their privacy.