Search This Blog

Friday, October 22, 2010

Electronic security failings raise privacy issues as well

The NSW Auditor General report Electronic Information Security is focussed on the failure of the NSW Government to ensure agency compliance with the international Information Security Management System standard, despite directions/ exhortations to agencies to do so. It seems no one has the clout or standing to force compliance by agencies that haven't acted on this, and things have simply drifted for the last nine years. The media release highlights the dangers this poses to personal information:
"The Auditor-General, Peter Achterstraat, today called on the NSW Government to make sure its agencies properly safeguard people‟s sensitive private information. “The Government is not able to assure the people of NSW that all its agencies are properly safeguarding sensitive private information,” said Mr Achterstraat...Mr Achterstraat outlined three key solutions to improve information security across Government. The Government needs to: establish minimum standards; hold people accountable to meet these standards and report annually to Parliament on the state of information security, including breaches. In summing up Mr Achterstraat said: “The people of NSW have a fundamental right to expect their families‟ private details are secure, regardless of which agency holds them. The Government must demonstrate this. Currently, it can‟t.”
There is a paucity of information in the audit report about incidents of breach of security involving sensitive information that may have occurred, and the report makes no link between standards of electronic security in government agencies and compliance with and potential breaches of privacy law.

The Auditor General notes reports of significant breaches of security of personal information elsewhere in the world, but cites only two significant incidents involving possible loss of sensitive information in NSW: one involving the Jobs NSW website –the Government's major recruitment tool - when E-mail addresses of job applicants were stolen, and the applicants were subsequently spammed by the hackers, and the other when the RailCorp networks were infected by the Conficker virus making data held vulnerable to theft or modification by hackers. The report continues:
There could be more such incidents. Unless breaches are exposed in the media knowledge of them tends to remain limited. Identifying both poorly and strongly defended systems in any form of public forum is likely to make that system a target. Keeping quiet makes it harder for a victim to identify how a wrongdoer got hold of their private information, and to hold the organisation accountable for its lax security. And in some cases, an organisation may never know it has been compromised, particularly if it is not that good at IT security.
In summary the report outlines significant potential danger to sensitive information holdings but has little to say about the extent of incidents that may have occurred.

The report doesn't mention that a government agency that fails to properly protect personal information isn't just in breach of the IT standard: it is also in potential breach of NSW privacy law, in force since 2001, that requires (s 12) an authority to ensure personal and health information
"is protected, by taking such security safeguards as are reasonable in the circumstances, against ..unauthorised access.. or disclosure, and against all other misuse."

Compliance with the standard would seem to be a guide to what constitute reasonable  safeguards under privacy law, given the fact it has been government policy for a decade. A person who can demonstrate loss or damage because of unauthorised access or misuse of personal information, as a result of a failure to comply with the reasonable security safeguard requirement, can seek damages of up to $40,000 from the NSW Administrative Decisions Tribunal (s 55).

However while an individual may be painfully aware of loss or damage resulting from someone improperly accessing financial or other information, he/she may be, and remain in the dark about how this came to pass, and that a government agency may be responsible because of an electronic security failure. NSW privacy law does not require an agency to notify the person concerned or the Privacy Commissioner that a breach of privacy principles has occurred. Remedies are only available where the individual concerned knows enough to be able to complain about agency conduct.

The Auditor General's report recommends "the Department of Premier and Cabinet should ensure..agencies report breaches (of the standard) or near misses to an independent organisation responsible for capturing incidents, ensuring investigations are conducted, and lessons are learned." The Privacy Commissioner should be involved somewhere along the line. And an individual should be made aware of a breach that exposes him or her to ID theft,  or other significant harm.

The Federal Government is still to respond to an Australian Law Reform Commission  proposal that:
  • A Federal agency or private sector organisation be required to notify the Privacy Commissioner and the affected individual when a data breach has occurred that may give rise to 'a real risk of serious harm to any affected individual'.
  • The notification only be required in respect of defined 'specified personal information' that should include both personal information and sensitive personal information, such as information that combines a person’s name and address with a unique identifier, such as a Medicare or account number.
  • Civil penalties apply for failures to report breaches.

No comments:

Post a comment