The disruptive cyber attracts on the NZX, MetService, Voyager and other local outfits have briefly diverted us from the more serious cyber threat - our data being illegally accessed and stolen.
A distributed denial of service attack can take a website offline resulting in loss of business and reputational damage. But eventually, the torrent of traffic subsides and the stunned victim can be up and running again fairly quickly.
Data breaches are a different bag, which is the reason why the GCSB, with its Cortex system for adding a layer of security to critical infrastructure providers in the public and private sectors, has focused on detecting and eliminating malware.
That’s the worms, Trojan horses, ransomware, spyware and rogue software that can be used to damage your IT infrastructure, lock it up so you can’t use it and syphon off your confidential documents and emails.
You only have to ask a Sony Pictures executive about the damage that can be done when a hacker gains access to your network undetected.
It happened to Sony back in 2014 when a hacker group spent two months trawling through the Hollywood studio’s servers undetected, stealing unreleased movies and movie scripts, documents outlining sensitive employee information and some highly embarrassing email correspondence revealing the nasty backbiting antics of Tinseltown.
A group named Guardians of Peace, then dumped the data trove online for everyone to see but only after deploying “wiper” malware to render Sony’s network unusable. The fallout for Sony was massive.
The hacking famously led to the studio pulling the theatrical release of Seth Rogan's movie The Interview, which depicted the fictional assassination of North Korean leader Kim Jong Un. Less well known is that outraged Sony staff sued their own company for not looking after their data properly. Sony settled with some of them for up to US$8 million the following year.
That’s the thing about big data breaches, you hear a lot about the companies that were hacked, but less about the employees, customers, shareholders or patients whose data was exposed and stolen as a result.
This might change in December when, finally, the updated Privacy Act come into force. The law will make it mandatory for organisations who have suffered “serious” data breaches to let affected parties and the Privacy Commissioner know as soon as they find out about it - not months or years down the track, which has often been the case in the past.
Data breach class actions
The act also allows the Privacy Commissioner to issue compliance notices to compel organisations to comply with the law and fine companies $10,000 for failing to do so. The Privacy Commissioner himself, John Edwards, has complained the amendments don’t give privacy law the teeth needed for him to properly play his watchdog role on data privacy.
But the new Privacy Act could pave the way here for something we haven’t seen before here - the data breach class action. It allows for the Human Rights Review Tribunal to award up to $350,000 to each member of a class action.
Essentially, a group of aggrieved people who have had their personal data breached, could take a case to the Human Rights Review Tribunal, the independent judicial body that hears claims relating to breaches of the Human Rights Act, Privacy Act and the Health and Disability Commissioner Act.
It regularly awards damages to the tune of tens of thousands of dollars for “emotional harm” and “humiliation, loss of dignity and injury to feelings”. It will typically issue a “declaration of breach of privacy” if that has happened.
But with single data breaches increasingly exposing the details of thousands, even millions of people, the new class-action provision could potentially see major cases taken to the tribunal with millions awarded in damages for serious breaches.
That will be a sobering thought for any business that holds considerable amounts of customer data. But it’s not really the same as the data breach class-action lawsuits in the US where the likes of LinkedIn, Yahoo, Equifax and Marriott have settled with those who have had their data exposed or misused.
However, government-owned Southern Response is facing an “opt out” class-action lawsuit over allegations it underpaid Cantabrians when settling their earthquake insurance claims. The Court of Appeal ruled claimants could automatically be included as plaintiffs in the case against Southern Response unless they opted out of it.
That’s paved the way here for class-action lawsuits in general. Australia saw its first data breach class action settled in December. The Supreme Court case involved the New South Wales Ambulance Service having to pay A$250,000 to current and former employees after a contractor working there accessed their medical and psychiatric records and sold the data to personal injury law firms.
The claimants successfully argued the ambulance service had failed to properly protect their privacy.
No one wants to see anything as litigious as the US legal system. But there can be real damage done, be it economic, reputational or emotional, when someone’s data is exposed or misused.
Finally, we may start to see companies hit in the pocket for their data privacy slip-ups.