Today I talked on Radio New Zealand National about the Privacy Commissioner’s new draft code which would effectively force companies who violate your privacy to tell you about it so you can do something about it. My speaking notes are below the fold and there are links are in the usual place.
Q: Moving to the Privacy Commissioners code about privacy breaches…what’s the story here?
A: This is a draft code for comment. But the end game here is forcing companies and government agencies to tell people when their privacy has been breached.
Q: Wouldn’t they know that already?
A: Not necessarily. Take the case of the T.J. Maxx credit card number theft. T.J. Maxx is a large-format retailer in the US with over 800 stores, and they have subsidiaries in the UK and Ireland. In January it announced that some of its customer data had been stolen from its computer systems.
A: They didn’t know at first. Later the investigators found out it was due to an unsecured wireless network in on the retail stores. Some bad guys in a neighbouring building joined the unsecured network and broke into the main customer database for the company.
Q: What kind of data was stolen?
A: Well, it probably covered people’s purchasing history and all kind of similar things but what made people sit up and take notice was that it included credit card numbers.
Q: How many?
A: 45 million. That only became clear after it was all investigated.
Q: 45 million people had their credit card numbers stolen!
A: Yes – that’s more than 10% of the population of the countries T.J. Maxx operates in. So, all those people had to get their credit cards changed, and some of the cards were already being abused so people would have had to go through the pain of getting refunded, possibly getting their credit histories repaired, all of which takes up a lot of time and a lot of stress. And this is really creepy stuff – Americans might have their Social Security Numbers on the store’s database – sometimes stores ask for them, and that leads to identity theft. Once you know a few things about a US resident like their social security number it’s easy enough to apply for credit in their name, rack up a huge debt and simply vanish. It takes forever to sort this kind of mess out. The US Federal Trade Commission –a body a bit like our Commerce Commission – has come out with some stunningly bad statistics: 10 million Americans affected by identity theft, a total cost of $53 billion, and a total of 300 million hours – that’s 30 hours each – for the victims tidying up the mess. And those figures are just for 2003, before the big breaches we are talking about today.
Q: In the T.J Maxx case, how did these 45 million people find out their credit card numbers had been stolen?
A: That’s the point – if there hadn’t been legislation forcing disclosure they might never have. Companies hate having to admit this – it costs them a great deal of money to fix their systems and tell everyone, and they take a huge reputation hit as well.
Q: So they’d rather just not say anything and not let people know about the problem?
A: Let’s just assume for a moment that the good folks at T.J. Maxx would have told people anyway, despite the big hit on the shareprice and the trashing of the company’s reputation. But the fact is they had to, because in the state of California there is a privacy breach disclosure law that forces a company to tell people when the company loses their data. And once you tell customers in one state they are all going to work it out.
Q: Does this kind of thing go on all the time?
A: You wonder, don’t you? A big recruiting and job-hunting site, Monster.com, has had its database of 1.3 million candidates stolen. That information has been used to try to trick people into installing Trojans on their computers so thieves can drain their bank accounts.
This is the biggest credit card number theft we know about, but there was another of 40 million back in June 2005. That was from a company called Card Systems which handles credit card processing for banks. They didn’t come out and say it – perhaps they don’t have Californian customers – and the news broke rather gradually as banks around the world started cutting off people’s cards and replacing them a few days later.
Q: Because the company told the banks?
A: Yes, I expect the agreements Card Systems had with Visa and MasterCard made them tell the banks – but they didn’t tell Joe and Jane public, that only came out when enough people put two and two together.
Q: They were probably hoping to get away with it!
A: Quite. And that’s why states like California, and some countries, having been enacting laws to force companies to own up to losses of personal data. And here in New Zealand, the Office of the Privacy Commissioner has just announced a draft code which will make companies losing people’s personal information own up to it and notify the people concerned.
Q: So the US is ahead of NZ on privacy?
A: The state of California is…US federal law in privacy lags a long way behind what Europe or New Zealand would regard as acceptable, but individual states can do what they see fit and California is ahead of the game here.
Q: OK, what do the New Zealand draft guidelines say?
A: They talk about sensible steps like containing the breach, evaluating risks, notifying people about breaches and preventing future breaches. All good rational stuff, but something that companies until now haven’t been told to do in New Zealand.
Q: And have companies been doing this kind of thing?
A: Who knows? There hasn’t been much public fuss for a while, so probably not. We don’t get to hear about a lot of breaches – that doesn’t mean there are a lot we don’t know, we just don’t know. Where the government’s involved there’s a bit more of a spotlight because of the greater public accountability public agencies operate under, and we get to hear about breaches in those – which aren’t all that common these days. Its going to be really interesting to see if the new code causes a lot more breaches to become public knowledge.
There was a shameful incident about 6 years ago where a TV journalist doorstepped a poor woman whose records of sexual abuse counseling had been stolen, unknown to her, and when she opened her door there was national TV asking her how she felt about it. There was a broadcasting standards complaint upheld over that.
Q: That’s a pretty extreme example, though. Most breaches aren’t like that.
A: No, of course not. Although notification would have helped here as well – if the victim in that case had been warned in advance she would at least have known not to answer the door to a very short TV journalist. That example incidentally is doubly relevant to privacy because the journalist thought he was making a point about the victim’s privacy. A pity he felt he had to violate that privacy in order to make his point.
Anyway, the New Zealand draft guidelines talk about balance – there’s no sense in notifying someone when the notification would cause more harm than the breach for instance.
Q: So is this based on the California law?
A: Apparently it’s based on Canadian law, or rather Ontario law. In Canada all the provinces do privacy their own way, although most of them do it at least as well we do.
Q: Will companies object to this new code? It seems like just another thing to worry about.
A: They might, although it’s really only a continuation of the existing Privacy Act. Effectively that act says that information about people has value to the people concerned and companies have to take that into account when handling it. Letting people know that you’ve lost their medical records or credit card numbers strikes me as common courtesy. I’d be a lot more likely to remain a customer of a company which did that to me if it owned up and said sorry up front.
Q: So this is a draft code. What happens from here?
A: It’s out for consultation now. The Privacy Commissioner is asking for comments by the 28th of September. People should look at it and send in their comments, especially if you think the Privacy Commissioner has it wrong.
The FTC’s report on identity theft.
A very long list of mostly US privacy breaches.
Broadcasting Standards Authority decision on a complaint about abuse of health information.
The New Zealand Privacy Commissioner’s draft guidelines about breaches.
A paper about US privacy breach disclosure laws showing which states do and which don’t require notification.