Still, ID theft can be difficult to deal with.
Lara Wilson, a Te Puke process servicer more used to handing out debt collection notices found her own credit record compromised as she struggled with an ID thief who had used an image of her driver’s licence to open power and phone accounts that went unpaid – and she was an expert in the field.
And Wellington librarian Nicole Gaston saw her chance of buying a home evaporate when an ID thief saddled her with $20,000 in debt after her details were filched in a Ministry of Culture and Heritage data breach.
So many will want to play it safe and get a replacement passport ($215 plus courier costs) or driver’s licence ($26.30) if a copy has fallen into the hands of hackers.
You’re on the hook
But who picks up the tab? In short, the victim, unless the “agency” – officialese for the party, like Competenz, that spilled your ID – decides to voluntarily cover the cost.
“It’s up to the agency to decide whether it pays for new documents for those impacted by the breach,” said a spokesman for the Office of the Privacy Commissioner, which administers the Privacy Act 2020.
“Our view is that good practice is that the agency responsible take steps to reduce the impact of the breach on affected individuals. That could include, for example, replacing key identity documents that are at risk – but that’s a decision for the agency to make,” the OPC spokesman said.
So is Competenz coming to the party? If you pipe up.
“So far no one has asked for Competenz to pay for their passport,” a spokesman said.
The option of Competenz paying for a replacement is not mentioned on the organisation’s incident response page.
“We are working through this on a case-by-case basis as each circumstance is different, but we will replace any documents as required,” the Competenz spokesman said.
The OPC spokesman said: “we would encourage affected individuals to contact Competenz directly to discuss their concerns or any remediation they might seek from them. If they’re not satisfied with their response, they can then complain to us.”
The revised Privacy Act makes it mandatory for an organisation that suffers a serious data breach to report it to the OPC. It’s then at the Privacy Commissioner’s discretion whether the general public is alerted.
Toothless
The Privacy Act also requires an organisation to store data about you securely, and for the minimum time necessary – and to only use it for the purpose for which it was collected.
Breaches can result in fines – albeit on a modest level compared to Australia, the United Kingdom or the European Union.
“I am concerned that businesses and other organisations rely on digital environments but aren’t well set-up to run them safely,” Privacy Commissioner Michael Webster weighed in on the same theme at the National Cyber Security Summit in Wellington in March.
“The degree of privacy maturity and cyber security practice is not as developed as I would have expected, which says to me that people aren’t always motivated to comply with legislation that protects data, like the Privacy Act,” Webster said.
“The maximum fine I can issue to an organisation for not adhering to a compliance order is $10,000.
“Compare that to Australia, where their maximum fine for serious interference with privacy is $50 million, and you begin to see the issue.”
Justice Minister Paul Goldsmith responded: “there are no current plans to amend the offences and penalties in the Privacy Act (2020), but it is something we might consider in the future”.
The Privacy Commissioner can play a role in brokering a settlement – as was the case with Ministry of Culture and Heritage data breach victim Gaston (the amount was confidential).
Another wrinkle: in some cases, victims of ID theft have to fight with one hand behind their backs.
The Office of the Privacy Commissioner has warned that although you have the right to see how your information was used by an alleged ID thief – that is, how they used your credit card, and the amounts charged to it – the alleged offender has a degree of protection under the Privacy Act 2020.
That means you’re not entitled to request, say, CCTV footage of them, or request specifics about what goods or services they’ve charged to your plastic.
If you suffer ID theft
- File a police report. Crown agency Cert NZ and the Crown-backed Netsafe can help you file a report to authorities;
- Contact the Crown-supported IDCare, which can help you freeze your credit record with New Zealand’s three national credit agencies (Centrix, Illion and Equifax). Its service is free;
- Watch your bank accounts and credit cards for anything odd, and run six-monthly checks on your credit ratings (credit agencies are not allowed to charge more than $10 for this service);
- Follow Internal Affairs’ ID theft checklist and replacement documents guide;
- Complain to the Office of the Privacy Commissioner if you think you’re being treated unfairly by the organisation that lost your data.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
