This year has brought with it several notable hacks, illustrating why we need a bold new Privacy Act. Photo / 123RF
OPINION:
We love to think our Kiwi ingenuity propels us forward in smarter ways than larger nations could dream up. Yet, despite its growing importance on the global stage, we're far from leading the pack in data privacy.
Yes, the incoming Privacy Act 2020 is a step in the rightdirection, but it runs the risk of being woefully out of date in the years to come.
This year has brought with it several notable hacks on home soil such as Lion, Toll, the University of Auckland and most recently the DDoS attacks on the NZX and other entities, halting businesses for days and weeks on end. Breaches like these in New Zealand will continue to rise.
Cyber criminals are smart. They seek out vulnerable systems and machines, sometimes spending months inside a system before attacking to inflict the most damage.
Alternatively, they can overwhelm undercooked and unprepared systems to shut down entire operations for fun or a potential ransom.
While so far these companies seem to have recovered without further compromise of their customers' precious personal data, reputations have been significantly damaged.
These examples illustrate exactly why we need a bold new Privacy Act which sparks a culture change towards information security, not just for today's problems but future scenarios too.
Privacy Act penalty is just a cost of doing business
Europe's General Data Protection Regulations (GDPR) see fines in the millions, or even hundreds of millions, and Australia's Notifiable Breaches law could cost a business up to A$4 million ($4.2m).
British Airways is facing a £183m ($358.9m) fine for breaching the privacy of 500,000 customers, and the French courts have determined Google should pay US$57m ($86.2m). Both penalties come from violating GDPR regulations.
These are the kinds of penalties which will make businesses take cyber security, and their responsibilities for protecting personal data, seriously.
Unfortunately, New Zealand's maximum penalty of just $10,000 is a light slap on the wrist for any big business. It's safe to say this isn't going to motivate large enterprises to up their game.
In the grand scheme of things, a few Privacy Act breaches would still be more affordable than investing in properly secure systems, lacking the necessary motivation for some businesses.
Australian directors are directly and personally liable for data breaches under the country's Notifiable Breaches law. This is something Kiwi directors needn't lose sleep over because there is no such provision in the Privacy Act 2020.
By comparison, when the Health and Safety Act was overhauled and local directors were saddled with personal liability, skin in the game meant those laws suddenly got a lot more attention. This is like New Zealand's alcohol laws where duty managers are directly liable for selling to minors. With top down responsibility, suddenly the highest levels of an organisation make it a priority to play by the rules.
A slow-paced law doesn't work for fast-paced tech
Technology is a fast-moving sector which means how we monitor, regulate and enforce it also needs to be handled with haste.
The Privacy Act hasn't been revised since its inception in 1993. Yes, you read that right, it hasn't been updated since nearly before the World Wide Web was launched.
Google didn't exist then and neither did Facebook. Y2K was a fear we didn't even know we had, and now one we laugh at. Today we're on the cusp of 5G technology, when 2G connectivity was in its infancy at the inception of this law.
Our phones are powerful enough to be computers and hackers can infiltrate networks through internet-enabled aircon units. Describing our existing Privacy Act as prehistoric, given our extraordinary technological leaps, is appropriate if not generous.
We talk about our goal of being one of the most connected countries on the globe with a world-class UFB network. However, the snail's pace at which our Privacy Act has been amended means we can't safely and securely take advantage of it.
When tech controls tech, who's to blame?
It's noticeable that our new Privacy Act, still three months away from introduction, could do with more work to be future-proofed.
Already, new methods of accessing and using people's data for unethical or illegal purposes are the new frontier. Artificial intelligence (AI), promising much in terms of convenience and efficiency, can be used for good or bad.
There is little within the new Act provisions which provide, for example, where and how liability might sit should AI be used for nefarious purposes.
Or, what happens with data when it is created by a third-party service. Self-driving vehicles are coming and using one requires an exchange of information. The law requires that information is used only for the stated purpose, but what happens if it is handed to a digital billboard to push products in your direction?
Like many digital companies, Google expressly accesses and uses personal information to deliver various services. What about data in other AI applications? If the application does something unexpected and publishes or uses personal data inappropriately, where does liability lie? With the person who conceived it, those who built it, or the AI itself?
Now, I'll concede that anticipating where a fast-moving industry might go next is difficult. But it's a worthwhile exercise because our future is digital, and the risks should be catered for. Our laws must move faster and provide operational certainty for local businesses and everyday Kiwis.
We must actively look after data
Company leaders and general New Zealanders don't seem terribly concerned about their data. The evidence is in the number of local breaches we've seen so far this year.
This complacency works until it's our own data being compromised. Once an identity is stolen, credit card details sold, or a reputation destroyed, the sentiment changes and everyone wants to know why and how it happened.
Without appropriate deterrents and a strong nationwide security culture, it's likely that these sorts of issues will become a more regular occurrence.
The Privacy Act 2020 is undoubtedly a long overdue move towards a better framework for managing data in the digital age. But it's easy to feel this is a missed opportunity where New Zealand could have done much better.
We're a small and advanced nation, capable of world leadership in many avenues. Unfortunately, this just wasn't one of them.
- Peter Bailey is the general manager of Aura Information Security.