ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Home

Breach notifications on the rise: Privacy Commissioner

Office of the Privacy Commissioner. 04 December 2013, 12:47 pm

A sharp increase in the number of data breaches being reported is a notable feature of the 2013 annual report from the Office of the Privacy Commissioner. In the following article, based on the report, the Office outlines the number and type of breach notifications it has received since 2007.

 

The Office of the Privacy Commissioner has recently started to track breach notifications more formally, as this is a growing body of work for the office and is also a matter of external interest and importance.

We are still developing our reporting system, including considering the most accurate and useful way of reporting types of breaches and outcomes.

Provisional figures since our record-keeping began part way through 2007 are as follows:

NUMBERS OF NOTIFICATIONS AND SECTOR

Year

 Total notifications 

 Public sector 

 Private sector 

 *07/08

 3

 2

 1

 08/09

 16

 13

 3

 09/10

 13

 10

 3

 10/11

 31

 19

 12

 11/12

 46

 34

 12

 12/13

 107

 84

 23

*Partial year results only, dating from the switch to the electronic records system in August 2007.
 

MOST COMMON SECTORS FOR NOTIFICATIONS

 Organisation type 

 07/08 

 08/09 

 09/10 

 10/11 

 11/12 

 12/13 

 Government 

 2

 7

 9

 15

 27

 51

 Hospital 

 0

 5

 1

 3

 5

 12

 Other health agencies 

 1

 0

 2

 3

 2

 6

 Large businesses (general) 

 0

 1

 0

 3

 3

 7

 Education sector 

 0

 1

 0

 1

 1

 4

 Small businesses 

 0

 2

 0

 2

 2

 5

 Local authorities 

 0

 0

 0

 0

 0

 3

 Banking/Finance/Insurance 

 0

 0

 0

 3

 3

 4

 Telecommunications 

 0

 0

 1

 0

 2

 3

The figures represent the number of notifications received (not the numbers of agencies that notified us).

 

MOST COMMON TYPES FOR BREACHES NOTIFIED

 Types of breach

 07/08 

 08/09 

 09/10 

 10/11 

 11/12 

 12/13 

 Website problem 

 

 3

 

 2

 2

 12

 Loss/theft of physical file 

 1 

 5

 4

 2

 7

 5

 Loss/theft of portable storage device 

 

 1

 3

 1

 5

 7

 Employee browsing 

 

 1

 

 1

 3

 6

 Electronic information sent to wrong recipient 

 1 

 2

 

 2

 10

 17

 Physical information sent to wrong recipient 

 

 2

 3

 

 5

 23

 Hacking 

 

 

 

 4

 1

 4

 

The figures demonstrate that our own workload with breaches has increased markedly in the last year. This is unsurprising, given the major data breaches at ACC and MSD (Ministry of Social Development). Not only public sector agencies have a heightened awareness of breach reporting, private sector reporting is also significantly up. We are receiving notifications from a greater variety of sectors, indicating that awareness of breach notification best practice is becoming more widespread.

It is too early to say whether our statistics illustrate a trend, or merely a temporary rise in concern. But we would be surprised if reporting was to diminish much in the near future. Experience overseas suggests that breach numbers are increasing significantly, particularly as agencies apply new technologies in ways that test the maturity of their security safeguards. Local agencies are likely to maintain their heightened awareness of breach prevention and management for some time to come.

 As mentioned, these figures are still provisional and they should be approached with a degree of caution.

Firstly, breach reporting is entirely voluntary in New Zealand at present. This means that our figures say little about the level of breaches that actually occur, or the relative performance of agencies in various sectors. Instead, the agencies that report to us tend to be the conscientious ones that are able to identify breaches when they occur and that are well aware of best practice in breach reporting. That is, they know that they should generally notify the individuals concerned and also our office where there has been a serious breach, or where notification will help the individual to take steps to protect themselves. Most agencies that contact us are also aware of our voluntary privacy breach guidelines and are already following them.

Secondly, there is no formal definition of what amounts to a breach. As a result, some of the breaches are minor issues that would not be required to be notified under any mandatory scheme. The figures alone therefore do not necessarily tell us whether an agency has a serious issue with its security standards. In addition, a few notifications involve agencies that have discovered that their disclosure processes may breach the Act. Not all of these are "data breaches" as we would often understand the term. Data breaches more usually involve either deliberate misuses or theft of personal information (such as employee browsing, hacking, or theft of data storage devices), or inadvertent actions by an agency that expose personal information. For simplicity's sake, we currently log all voluntary notifications from agencies as breaches.

We encourage agencies to let us know when they experience a breach. We can often provide useful advice on how to handle the breach, particularly for those with little experience in the area. If the agency is already doing everything that we recommend, they feel reassured. In cases where follow-up is warranted, we can often provide an early indication of what we are likely to need - an approach which is easier for the agency to manage than receiving a formal notification of an enquiry. Finally, if a breach results in significant publicity, we are better equipped to take enquiries from individuals who are or may be affected, and to provide information in response to media enquiries.

The Law Commission has recommended that New Zealand needs to move to mandatory breach reporting. We agree with that recommendation. Mandatory reporting would provide strong incentives for agencies to take appropriate steps to prevent breaches and to manage them properly when they occur. It would result in better information being given to affected individuals so that they could take steps to protect themselves. It would provide us with better information about the scale of the breach problem in New Zealand, the types of breaches that occur, and what approaches are effective. This would give us information that we can then use to help others. It would also provide a direct mechanism for us to deal with agencies that do not attempt to comply or refuse to comply with the law, allowing us to target our responses to greatest effect to protect individuals from harm.

The full annual report can be read here.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio