Large privacy breaches impact us all

Michael Webster, Privacy Commissioner

When privacy breaches are in the media, they can be embarrassing for businesses and can put you in the spotlight for all the wrong reasons. A privacy breach can also serve as an important wake-up call, teaching valuable lessons to help you emerge stronger.

Privacy breaches are bad for business. At the very least, your reputation takes a hit. They can also lead to a loss of clients and money, so there’s a very real incentive to learn from not only your own privacy breaches, but also from those you see happen to others.

We saw an example late last year, with the Manage My Health cyber incident impacting the health information of nearly 100,000 New Zealanders. It attracted significant media attention and led people who used the service to ask questions about the organisation and its information security arrangements. 

Privacy breaches can rock people’s confidence in how their personal information is managed, which means reduced trust in your business and what you offer. In our recent annual privacy survey, 66% of respondents said they would consider changing service providers if they had poor privacy and security practices. If you’re not looking after people’s personal information well, your consumers are highly likely to shop around for someone who will.

It’s not just the breach itself that can impact people’s opinions, but also the notification process. Do the people affected feel they’re being kept informed about what happened? Do they understand why it happened? Perhaps most importantly, are they told what is being done to stop it happening again?

If people don’t feel you’re doing a good job of communicating, managing and fixing the problem, it can lead to more questions about whether you’re the right place for them to trust with their information. It’s far easier to keep people’s trust and confidence than to try to restore it later.

Public incidents can quickly affect people’s views. This, and other recent privacy breaches in the health sector, appear to have dented people’s confidence, with our privacy survey showing 56% of people have concerns about the security of their health information. 

My  Manage My Health Inquiry  report goes into more detail about the specific causes of the breach, but there are broader issues involved that will resonate with many directors and should lead you to ask questions about your own businesses and their governance.

Do we have the right security in place to stop cyberattacks? How quickly could we tell a major breach had occurred and what would that look like? Is there an up-to-date privacy breach response plan in place and how long would it take to implement?

As a director, it’s also a good opportunity to ask wider questions. How are we managing third-party providers? Are our contracting arrangements, risk assessment protocols and due diligence practices fit for purpose? 

If you’re not sure, or think there are some gaps, I strongly recommend you ask the people responsible to double-check their systems and processes.

Privacy breaches occur regularly and in all types of organisations. While you can probably rest a little easier if you have adopted sophisticated IT systems and security protocols, that cannot protect a business against one of the leading causes of privacy breaches – human error. You may be only one email away from a potential privacy breach.

Whether you’re on the board of a major corporate or your local tennis club, you need to ensure you protect the personal information of clients, staff and stakeholders. Ignorance is not a legal defence under the Privacy Act, so make sure you understand your obligations. The best way to do this is by making sure you, as a director, take privacy seriously.

Learn from privacy incidents and near misses in your own organisation and learn from the misfortune of others. Chances are there’s a lesson to be learned to help stop you being breached again, or to help you respond in a way that keeps people’s trust and confidence.

Major breaches are a reminder that if you don’t take privacy seriously you’re risking a lot more than a few weeks of embarrassing headlines.

Take this opportunity to ask some tough questions, model privacy leadership, learn more about what causes privacy breaches and then ask: could the same thing happen to us?