By Bill Farmer
Several recent studies, reports, and data releases have made a stark case for the creation of strong data breach disclosure laws in New Zealand. There is a real concern amongst Kiwis about the security of their personal information with other parties, and in particular, how their payment card data is protected.
Local results of a global study by Unisys found nearly six in 10 New Zealanders are extremely or very concerned about unauthorised access to their personal information, or other people obtaining or using their credit card details. Those results ranked well ahead of mainstream national security threats like war or terrorism.
Recently released data from BNZ shows good reason for that concern: card fraud was up nearly 50 per cent between 2004 and 2013. The fastest-growing category of fraud was attacks where payment cards were compromised without actually being used, which accounted for 80 per cent of fraud last year and comprised primarily of ‘large-scale account data compromises’.
Yet despite high levels of concern and a significant increase in large-scale account data compromises, in New Zealand card and payment security issues are the ones we know perhaps least about overall.
There have been only scattered public news reports of card data loss events. For example, a major unnamed retailer was breached earlier this year, and there were several reports of card skimming gangs roaming Auckland and Wellington dating back to mid 2013.
But these reports are just the tip of the iceberg. Around the world card fraud and cybercrime is well on the rise, costing an estimated $400 billion last year. To think it’s not happening here in New Zealand is just as folly as to assert the earth is flat. We are all part of the same global digital economy, and New Zealand businesses are different in only one key respect: when they are breached, no one has to know about it.
In the US, for example, in 48 of 50 states require organisations to publicly notify individuals when their payment or personal data has been lost or stolen. While notification processes and specific requirements vary from state to state, the essence of the law is the same: when your personal information is lost, you have a right to know.
Surely we in New Zealand value our information at least that much. If our information is valuable to organisations, there ought to be a notification required when it goes missing.
That’s why it was particularly encouraging to read about the proposed reforms to our Privacy Act, which would include provisions for a public breach disclosure law. Any company that loses personal information (and financial data like credit card information in particular) will be held accountable and notify their customers about the incident.
It’s not merely the honest and right thing to do, but it will give us some clear data, perhaps for the first time, as to the commonality with which systems are under attack by fraudsters and cyber criminals. Armed with that information, we can ensure all businesses are being properly prepared with the security they’ll need to meet the challenges of the digital age we live in.