Privacy Commissioner Marie Shroff is actively studying the progress of data-breach disclosure legislation overseas, with a view to making policy recommendations to government, and possibly the Law Commission, towards the end of the year.
Shroff says a survey conducted by her Office points to people’s rising concern about the security of their personal data. She says people who said they were concerned or very concerned about the use of data and breaches rose from 49% in a 2001 survey, to 56% in 2006.
She says her preliminary conclusion is that there’s a “serious level of concern” among the public over data security.
“It’s pointing in the direction of recommending something needs to be done,” she says. But exactly how it will be done remains open. It could be by law, voluntary code or other means, she says.
“As small countries tend to do, we are watching what other countries are doing,” she says, adding she has a six to eight centimeter-high pile of research on the issue on her desk.
California led the way in passing a data-breach disclosure law, called SB 1386, in 2002.
“We noticed it in California and have been watching it ever since.” Shroff says the Law Commission is undertaking its own study into data and privacy issues.
The Commissioner says she doesn’t have any particular information about whether data breaches are a big issue locally. While it doesn’t appear to require an urgent response, data-breach disclosure is a major development in the area of personal information law, she says.
Another benefit of waiting is that academic research is now emerging analysing the effectiveness of similar laws in the US and elsewhere. That will help New Zealand to pick up the best aspects of overseas schemes.
Shroff says information from her Canadian counterpart indicates that there were 586 publicised data breaches in the US between June 10, 2005, and February 19, 2007, affecting 104.1 million records. The Commissioner says that when such events result in identity theft the average loss is CAD$2,000 (Canadian dollars), and, on average, 175 hours are spent by the victim setting things straight.