Vexing views on why privacy is so slow to change
Monday's enforcement of the Privacy Act 2020 calls on business to pay close attention to both individual and business security of personal information, and proactively to prevent privacy harm.
The exponential growth of our digital lives is transforming the way we leave a trail or imprint on the world. The digital harm resulting from privacy breaches is broad. It can range widely in type from data breaches, to ransomware attaches, sextortion and scams.
Reforms to the 1993 Privacy Act have taken many years, and the long-awaited revamp took effect yesterday, 1 December 2020.
The Privacy Act has emerged in response to the new digital landscape, where individuals and organisations are now operating almost fully online. Now inter-connected devices, Cloud storage, e-commerce and social media profiles are exposing both business and individuals to significant data risk.
The Act recognises the commercial value of personal and organisational information, and takes into account the global nature of all information sharing.
Of particular importance to business is that the Privacy Act 2020 requires the Privacy Commissioner to be notified about any actual or possible breaches of serious harm. The commissioner will also be able to issue public compliance notices for breaches.
The Privacy Act 2020 – long overdue
The New Zealand Crime and Victims Survey (NZCVS) reveals that between 2018 and 2019, over 320,000 New Zealand adults (7.9%) experienced 420,000 fraud or cybercrime incidents. Of these, only 10% were reported to the police.
Businesses must overcome this to build a valuable business case for investing in proportional and risk-focused security. This requires changing hearts and minds to drive the behaviour that enhances privacy. It often requires legal catalysts and new compliance frameworks.
New Zealand’s still playing catch-up with its privacy updates. Its international counterparts, including Australia, the UK, and Japan have already past legislation to bring their data security up-to-speed with the digital age.
Key changes of the Privacy Act for business are outlined here.
Legislation to the rescue
Past consent laws proven to be insufficient when it comes to security and privacy in the digital age. The big for-profit communications platforms – Facebook, LinkedIn, and the expanding variety of others – have been highly influential in making personal and organisational data vulnerable because they rely on selling individual and organisational data to make a profit.
Bruce Schneier – an internationally renowned security guru and US Government spokesperson – spoke about July’s Twitter hack on the accounts of Joe Biden, Bill Gates, and Elon Musk. He comments that for companies such as Twitter, trusted by customers with their data, “Underspending on security, and letting society pay the eventual price is far more profitable”. He makes the point that data protection should not be left up to corporate leaders – rather they must be regulated and held accountable: “Fixing this requires changes in the law, not changes in the hearts of the company’s leaders”.
“Underspending on security, and letting society pay the eventual price, is far more profitable… Fixing this requires changes in the law, not changes in the hearts of the company’s leaders”
Yale lawyer Andrew Burt also writes about how the nature of privacy has shifted. He states that the responsibility cannot be left down to the individual either. “Once described” he comments, “as ‘the right to be let alone’, privacy is now best described as the ability to control data we cannot stop generating, giving rise to inferences we can’t predict”.
These international concerns have been echoed here in New Zealand by Privacy Commissioner John Edwards who has said of individual consent that it asks too much of a consumer. In a 2019 conference he said consent was an “abdication of responsibility”. He has called out the practice of ‘click to consent’ saying it is simply not good enough anymore. He echoed the call for companies to up their game when it comes to designing consent mechanisms.
New Zealand-based security professional Chris Hails, Cyber Security Professional and NZTA Security Manager, advises on the privacy options that work for business. Guided by his experience working for Deloitte, at various UK security organisations, and certifications in information systems, management and Cloud security, Hails has sought ways to reduce the emotional and financial harms of cyber-crimes and social engineering.
Hails explains that security professionals can struggle with the ‘double intangibility’ of security: “the intangibility of risk and the intangibility of protection”. Whether businesses can freely or easily decide to improve consent mechanisms is questionable.
Advice for business – International lessons learned
- Review personal data assets and collection.
- Create or update your business’s breach response plan and notification processes to the Office of the Privacy Commissioner and concerned individuals.
- Define RACI (Responsible – Accountable – Consulted – Informed) for breach detection and response. Also exercise against scenarios to build capability.
- Inventory the organisation supply chain. Also review contracts and security capabilities, onshore and offshore.
- Ensure Privacy Statement reflects real data flows and sharing arrangements.
- Introduce Privacy by Design thinking – more, better, earlier Privacy Impact Assessments (PIAs) for mature organisations.
Just the beginning
The Monday enactment of the Privacy Act has been a long time coming – but it is likely to be just the beginning of broader updates.
Another question is how influential the Privacy Act will be in getting international corporates with large amounts of customer data to comply, such as Facebook and Google. New Zealand’s a small country – a lot of our businesses seemingly rely on these big global players.
The future of New Zealand privacy measures – what business can and cannot do – will become clearer as the Privacy Law is enforced.
Helpful links & tools:
Compliance and Vulnerability
Cloud compliance is the general principle that cloud-delivered systems must be compliant with standards that the cloud customers face. Essentially, cloud customers need to look at the effective security provisions of their vendors the same way they would look at their own internal security. They will need to figure out whether their cloud vendor services match the compliance that they need. There are several ways to go about this. In some cases, companies can just look for vendors that certify compliance, and choose their services without any further input. However, sometimes clients may need to actually get involved in accessing the cloud vendor's security, to make sure that it complies with the industry standards and regulations.