In this edition of infoRM:
VTech data breach timely reminder to check data security
Hackers have reportedly compromised the accounts of around 4.9 million customers of toy-maker VTech. The data breach, which affects customers and their children across multiple jurisdictions (including around 1,500 New Zealanders), is another reminder of the increasing frequency of commercial hacking and the need to have effective security. It also raises the delicate question of how organisations should respond once becoming aware of a breach.
The data breach, which occurred on 14 November, was identified by VTech on 23 November after a journalist asked about the incident. Customers were notified on 27 November. Although the databases accessed did not contain payment card or ID card information, they did include customers’ names, email addresses, secret questions and answers for password retrieval, IP addresses, mailing addresses, download history and encrypted passwords. Other information included children’s profiles and photos, and “Kid Connect” electronic messages (between children and their parents).
The case is a reminder for New Zealand agencies to maintain reasonable security safeguards in accordance with IPP 5 of the Privacy Act, and that what is “secure” requires continued assessment as hackers’ capabilities become more sophisticated.
The relative delay between VTech becoming aware of the breach and its notification to customers also illuminates the risks agencies balance when responding to a data breach. Early notification to customers allows remedial action (for example, changing passwords, closing accounts or contacting banks where card information is involved) that can limit damage to individuals and the agency (including from class actions) while maintaining confidence that “everything is being done” to address the issue. However, a period of investigation is often necessary to understand the nature of the breach, and premature notification of a breach that turns out to be minor can cause unnecessary anxiety and potentially significant reputational (and therefore commercial) damage.
In New Zealand, voluntary notification of data breaches is increasingly common according to the Office of the Privacy Commissioner’s (OPC) recent annual report, with such notifications set to become compulsory under changes to the Privacy Act proposed by the Ministry of Justice. Under the proposals, agencies would have to report material breaches to OPC and, where there is a “real risk of harm” (in terms of the Privacy Act), to affected individuals. In the interim, agencies are left with the task of assessing for themselves the right thing to do. A good starting point will be OPC’s guidelines for responding to data breaches.
R v Dixon: Property in the digital age
The Supreme Court has held that digital files can be “property” under s 249 of the Crimes Act 1961, departing from previous authorities that regarded digital files as being pure information and not property. The decision has potentially broad ramifications for the protection of digital information.
The issue in the case was whether Mr Dixon, who created still images copied from CCTV footage on a work computer and then transferred the images onto a USB drive and deleted them from the computer, was properly convicted under s 249(1)(a) of the Crimes Act (ie, of having accessed a computer system and thereby, dishonestly or by deception, and without claim of right, obtained any property). Section 249 carries a maximum sentence of seven years’ imprisonment.
The District Court accepted that digital files could be property but the Court of Appeal held the files were merely information and substituted a conviction for obtaining a “benefit” under s 249.
Mr Dixon appealed and the Supreme Court reinstated the District Court’s decision, holding that property is a fluid term and, in context, s 249 was intended to cover digital files. The Court reasoned that the data files were capable of being owned and transferred, had economic value, had a “material presence”, and were often viewed in the same manner as other tangible forms of property such as paper documents. Digital files thus fell within the popular and legal meanings of property (at least for the purpose of s 249).
The full implications of Dixon are yet to be seen. The case concerns a difficult distinction between pure information and property and raises questions as to whether conduct previously viewed as merely a privacy breach (eg copying personal information) or a violation of copyright (downloading pirated content) may be covered by dishonesty provisions in the Crimes Act, such as receiving “property” obtained illegally under s 246.
ECJ ruling disrupts US – EU data transfer arrangement
A recent decision of the European Court of Justice has struck down an arrangement which permits thousands of companies to transfer personal data from Europe to the US. While a substitute arrangement (intended to comply with the decision) is currently being drawn up, the decision remains a blow to US technology companies, many of which have millions of European customers.
The case is the latest development exposing transatlantic differences in expectations of privacy, and was prompted by a complaint from an Austrian citizen after personal data held by Facebook’s Irish subsidiary was transferred to the US.
The relevant law, the 1995 EU Data Protection directive, allows a company to transfer the personal data of EU citizens to an external country only if that company’s privacy protection in the external country is equal to that required in the EU. A 2000 decision of the European Commission had held that if US companies were certified as adhering to a set of Safe Harbor Privacy Principles, it would constitute sufficient protection. The ECJ’s decision overturns that position on the grounds that legislation permitting US authorities to access certain electronic communications compromises the right to respect for private life contained in the Charter of Fundamental Rights of the European Union.
A resulting question for Irish regulators to determine is whether Facebook’s transfer of private information should be suspended on the ground that the US does not afford an adequate level of protection of personal data. It remains to be seen what additional protections the updated US Safe Harbor Privacy Principles will contain to satisfy such concerns. However, one significant step towards greater balance, taken only weeks after the decision, is Congress’ decision to pass the Judicial Redress Act. The legislation allows EU citizens to bring claims against US Government agencies for privacy breaches, although broad exceptions to liability mean that it is unlikely to have a far-reaching effect.
New Zealand, meanwhile, is considered by the EU to be a state which provides adequate privacy protection via the Privacy Act 1993 and is unlikely to lose its status in the way the US has.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.