Privacy Breaches – Carrot or Stick?

Interesting article in the NY Times here

It discusses the loss of an unencrypted laptop by a NASA employee that contained the confidential details of 10,000 employees including names, birth dates, social security numbers and, in some cases, personal information from background checks.

The article goes on to discuss the absence of consequences for employees and companies who (negligently) fail to protect this type of information as the core reason why it continues to happen.

Here in NZ, the Privacy Act requires that personal information is protected by security safeguards to guard against loss or unauthorised disclosure, modification access and use. However, although the privacy commissioner may investigate and form an opinion in the event of a public breach or complaint (which is taken seriously) she has no powers to enforce any action or impose any penalty. Cases can be referred to a Human Rights Review Tribunal which does have legally binding powers to enforce actions to rectify any breach and can award damages to a complainant. It isn’t that the NASA type events don’t happen here but there are no incentives to report them and no consequences for not doing so or for the failures or negligence that permitted a breach.

Looking at the twenty four cases before the Tribunal in 2012, fourteen of these were brought under the Privacy Act. Of these, twelve were brought due to alleged failures to satisfy personal information requests and the remainder brought due to alleged improper use and disclosure of information under privacy principles 10 and 11. Both of these were concerned with information that had been deliberately disclosed and was not concerned with any failures in security and storage.

As there is no legal obligation in New Zealand to report any breach of privacy it is unsurprising that the vast majority of privacy complaints that make it to Tribunal are for unfulfilled requests for information which were requested by the complainant as these are the only things that are ever reported.

In the UK, the Data Protection Act (DPA) also sets out principles for protecting personally identifiable data which includes principles for security much like the NZ Privacy Act however it includes reasonable detail about what controls are expected to be in place to ensure that personal data is not lost or disclosed. These controls include the encryption of information that leaves the boundary of an organisation such as laptops, backups, DVDs and memory sticks. Further, in April 2010, the Information Commissioner who oversees the DPA was awarded greater powers to impose Civil Monetary Penalties (CMPs) on public and private sector organisations that failed to protect the personal information of their customers and employees. The key differences in this legislation and its implementation are these:

1. All data processors and controllers (those who collect and store personal information) must be registered by the Information Commissioners Office (ICO); and

2. All data controllers are ‘strongly’ encouraged to report any breach of the security principles of the Act to the ICO. There is no legal obligation to report a breach (unless you are an electronic communications service) but if you don’t and are subsequently found to be in breach then the fines and penalties are severe.

This has created a culture in the UK where many organisations take very seriously their obligations to the Act and the requirements to establish appropriate security controls around personal data. The consequences of a breach are the financial penalty, the damage to brand and reputation that occurs as a result of media attention (all penalties and enforcements are released to the media) and the significant costs of putting in place the controls (within a timescale chosen by the ICO) to prevent recurrence. I’d like to think that at the same time that the ICO gained its new powers there was an epiphany in British businesses and government where they collectively decided to take the security of personal data much more seriously. However, I know from personal experience that rather than the carrot shaped incentive of doing the right thing, by protecting the average British citizen from identity theft and fraud, it was the significant stick of penalties and the unwanted appearance in the Daily Mail that did the trick.

I guess the question is, do we care whether it is incentives or consequences that drive the right behaviour when protecting individual privacy and expectations of organisations that collect and store our information? There are enough clear incentives to protect personal data but we know that reasonable steps are not being taken. Perhaps it’s time to bring out the stick?