A New Zealand property management company holding personal information about tenants on behalf of landlord clients has been required to take urgent steps to fix a gap in the security of a website it hosted.
The gap created the potential for unauthorised access to images of tenants’ passports, driver’s licences and other identity documents. While the quantity of information put at risk was not confirmed by the company, the tech website CyberNews said that over 31,000 files had been publicly available.
The company says there was no unauthorised access of the website while it was active, and that as soon as it was notified of the flaw, it was fixed.
The breach has been blamed on a design flaw in the company’s website. It has been reported that the data was stored by Amazon Web Services, which is a widely used system allowing for the storage of data in the cloud.
Privacy legislation in New Zealand
The breach occurred against the background of new privacy legislation being passed in New Zealand. New Zealand’s current laws relating to the privacy of personal information are contained in an Act that came into force in 1993. Since then, advancements in technology and the introduction of a vast array of platforms that collect and share personal information have changed the face of data protection internationally.
New Zealand’s new Privacy Act 2020, which comes into force on 1 December 2020, strengthens the protections afforded to people’s personal information in a range of ways:
- The introduction of a requirement to report, as soon as practicable, privacy breaches that pose a risk of serious harm. Reporting must be to both the Privacy Commissioner, who is the person with overall oversight of privacy matters in New Zealand, and the person or people affected. This brings New Zealand in line with international best practice
- Strengthening cross border protections: New Zealand agencies will be required to take reasonable steps to ensure personal information sent overseas is protected by similar levels of privacy protection to those required in New Zealand. If this is not the case, the individual concerned must be fully informed that their information may not be adequately protected, and they must expressly authorise the disclosure
- The enhancement of the Privacy Commissioner’s powers, including the introduction of the power to:
- issue compliance notices to require an organisation to do something or stop doing something in order to comply with the Privacy Act; and
- demand the release of personal information to individuals, if an organisation refuses to make this information available on request.
- An overseas agency carrying on business in New Zealand, even if it does not have a legal or physical presence in the country, will be subject to the Privacy Act 2020. This will capture businesses such as Google and Facebook.
Once the new privacy law comes into force, the Privacy Commissioner will have greater powers to address breaches of privacy like those relating to the property management company.
From a practical perspective, the issues relating to the company have raised awareness of the need for organisations holding personal information to take the necessary steps to ensure the information is being held securely. This obligation may include taking reasonable steps to check the competence and qualifications of technical experts and ensuring contracts entered into with such experts contain the necessary obligations around ensuring the protection of this personal information. With the Privacy Commissioner’s imminent enhanced powers, businesses should be taking steps to ensure the necessary measures are taken to protect the personal information held by them.