Accident Compensation Corporation NZ slammed over data breach
- 27 August, 2012 13:48
The New Zealand Privacy Commissioner, Marie Shroff, has taken the Accident Compensation Corporation (ACC) to task over its August 2011 data breach of 6748 NZ client’s details, saying the Corporation displayed an “almost cavalier attitude” towards data protection.
A report (PDF), entitledIndependent Review of ACC’s Privacy and Security of Information, found that on 5 August last year, an ACC Northern Region recover independence services (RIS) manager was drafting an email response to an Auckland-based ACC client.
In the course of drafting the email, the RIS manager accidently clicked and dragged an unrelated email so that it became part of the email being drafted.
According to the report, the unrelated email included a spreadsheet containing information on 6748 ACC clients. This information related to the status of clients’ reviews with Dispute Resolution Services Limited (DSRL). DRSL is an independent company which manages review hearings for ACC clients who are unhappy with a decision related to their accident claim.
In addition, it was not until 26 October 2011 that the Auckland-based customer discovered the spreadsheet containing details of 6748 ACC clients.
The review was commissioned by the Office of the Privacy Commissioner (OPC) and the ACC Board.
Commenting on the review, Shroff said that while she accepted the data breach was a genuine error, it happened because of “systemic weaknesses within ACC’s culture, systems and processes”.
“The reviewers noted a good level of privacy awareness, especially at branch level. But the review also highlights a culture that, according to stakeholder feedback to the reviewers, has at times an almost cavalier attitude towards its clients and to the protection of their private information,” she said.
Shroff added that the review showed information stewardship was at a low level and focused on breaches and complaints rather than taking strong leadership that emphasised respect for ACC’s clients and their information.
“While ACC has elements of privacy protection and security, these are not up to the standard expected of a responsible public sector agency that holds highly sensitive information on a large number of people,” she said.
It was recommended by the OPC and ACC Board that the ACC review its policy and procedures for the collection and storage of personal information.
In addition, an independent audit of how ACC has implemented the policy changes to be undertaken every two years with the audit information provided to the NZ Privacy Commissioner.
“It’s evident from the report that a lot needs to change before public confidence in ACC can be restored,” Shroff said.
“I believe it can be done, but only if ACC takes the review’s findings seriously and gives its staff the support they need to implement the necessary changes.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Mobility Apps: What every developer should know
Learn how others have delivered industry-leading, multi-platform management and security solutions. In this whitepaper, we look how app developers can develop, deploy and manage apps that enterprises can rely on today and into the future. Click to download!
NetApp FAS6240 Clustered SAN Champion of Champions
Storage systems today must match agility with diversified I/O performance to satisfy an enterprise’s changing needs. In their review, Silverton Consulting ranks the NetApp FAS6240 Clustered SAN, as an Enterprise OLTP “Champion of Champions.” Read the results of their benchmark testing and the features that impressed them the most.
CSO Spotlight: Security-as-a-Service Gaining Popularity
Organizations that are looking for security features including identity management, encryption and access control — and at the same time want to take advantage of the cost and flexibility benefits of the cloud —might check into security-as-a-service offerings available now from several vendors. Download now to find out more.