Published on the 03/07/2018 | Written by Pat Pilcher
Data breach reporting to become mandatory in New Zealand, could Z Energy have handled things better?
Data breaches and security vulnerabilities may be daily news fodder overseas, but they’re still relatively rare in New Zealand. That changed last week amidst revelations by Stuff of vulnerabilities with Z Energy’s fuel card website which is used by 45,000 cardholders.
The particular vulnerability in question meant that Z Fuel account customer details were accessible to anyone typing a customer’s account number as part of the Z Fuel Card page URL.
According to Ian Welch, associate professor of cyber security from Victoria University School of Engineering and Computer Science, the vulnerability afflicting the Z Energy fuel card webpage is not an uncommon issue: “They would be far from the first company to have this problem, but it is a very basic mistake”.
“They minimised what went on and claimed there was no real impact upon people. This left people vulnerable”.
Welch says while no personal information or credit card details got leaked, the vulnerability meant customer information uncovered could get used for fraudulent purposes: “Some of these ‘private’ details such as a registration number or a home address are the sort of info people use for password reset questions. This could allow attackers to leverage what they have to do something much more serious.”
The situation has highlighted New Zealand’s lack of data breach reporting laws.
Across the Tasman, robust data breach laws have been in place since February, when the Notifiable Data Breaches (NDB) scheme came into effect. The NDB Act requires that organisations in Australia covered by the Australian Privacy Act notify individuals suspected of having personal information leaked as part of a data breach. Meanwhile in the EU, the GDPR (General Data Protection Regulation), came into force in May.
New Zealand’s lack of data breach laws will soon get remedied according to the Office of the Privacy Commissioner. While companies are currently not required to report data breaches in New Zealand, the Privacy Act is getting overhauled and is before a select committee. A draft version of the NZ Privacy Bill is available to download.
Privacy Commissioner John Edwards is upbeat about the new Privacy Bill, saying the overhaul of 25-year old privacy law is well overdue.
“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand.”
The original Privacy Act (crafted in a mostly pre-digital 1993) made privacy breach reporting voluntary. The updated version reflects New Zealand’s digital environment and makes data breach reporting compulsory. It is also understood to include stronger powers for the Privacy Commissioner and more substantial fines.
As good as the revised regulations are, compliance costs are likely for New Zealand businesses dealing with the aftermath of a data breach. The global nature of the internet means affected companies can face numerous challenges and expenses. Affected companies must not only establish in which countries their customers are based, but must also navigate a complex web of regulatory bodies in various countries whose laws will vary widely.
Complexities can include understanding what types of data leaks require notification, how data breach notifications get carried out and which authorities get notified. Adding to this is the spectre of legal penalties, lawsuits, impacted contractual obligations and brand damage. The financial impact of complying with data breach reporting requirements for businesses is significant. That said, the alternative is likely to consist of eroded customer trust and, over the longer term, hard to repair damage to the breached company’s brand.
The Office of the Privacy Commissioner estimates that approximately 50 breaches got reported between July and October 2017. While a small number by international standards, the actual number is likely to be larger owing to the voluntary nature of data breach reporting here.
Welch said there are benefits to introducing mandatory data breach reporting laws: “Research has shown in the US that data breach disclosure laws are associated with a reduction in identity theft”.
Equally as significant, mandatory data breach reporting will also force companies to come clean, which can only be good news for customers.
While Z Energy didn’t experience a data breach, Stuff says that Z Energy only went public when confronted about Z Fuel Card website vulnerabilities. Stuff also contends that while Z Energy told customers, the NZSE and the Office of the Privacy Commissioner that they had just found out about the vulnerability from Stuff a fortnight ago, they had actually been sent information about the vulnerability seven months ago.
These actions, Welch said, could affect customers: “They minimised what went on and claimed there was no real impact upon people. This left people vulnerable”.
A more appropriate response says Welch would have been to respond using the Privacy Commissioner’s online data safety toolkit as a guideline to notifying customers and the public of a potential data breach.