Accident Compensation Corporation NZ slammed over data breach

The New Zealand Privacy Commissioner, Marie Shroff, has taken the Accident Compensation Corporation (ACC) to task over its August 2011 data breach of 6748 NZ client's details, saying the Corporation displayed an "almost cavalier attitude" towards data protection.

A report (PDF), entitledIndependent Review of ACC's Privacy and Security of Information, found that on 5 August last year, an ACC Northern Region recover independence services (RIS) manager was drafting an email response to an Auckland-based ACC client.

Learn how smart CIOs are protecting customers from security breaches

In the course of drafting the email, the RIS manager accidently clicked and dragged an unrelated email so that it became part of the email being drafted.

According to the report, the unrelated email included a spreadsheet containing information on 6748 ACC clients. This information related to the status of clients' reviews with Dispute Resolution Services Limited (DSRL). DRSL is an independent company which manages review hearings for ACC clients who are unhappy with a decision related to their accident claim.

In addition, it was not until 26 October 2011 that the Auckland-based customer discovered the spreadsheet containing details of 6748 ACC clients.

The review was commissioned by the Office of the Privacy Commissioner (OPC) and the ACC Board.

Commenting on the review, Shroff said that while she accepted the data breach was a genuine error, it happened because of "systemic weaknesses within ACC's culture, systems and processes".

"The reviewers noted a good level of privacy awareness, especially at branch level. But the review also highlights a culture that, according to stakeholder feedback to the reviewers, has at times an almost cavalier attitude towards its clients and to the protection of their private information," she said.

Shroff added that the review showed information stewardship was at a low level and focused on breaches and complaints rather than taking strong leadership that emphasised respect for ACC's clients and their information.

"While ACC has elements of privacy protection and security, these are not up to the standard expected of a responsible public sector agency that holds highly sensitive information on a large number of people," she said.

It was recommended by the OPC and ACC Board that the ACC review its policy and procedures for the collection and storage of personal information.

In addition, an independent audit of how ACC has implemented the policy changes to be undertaken every two years with the audit information provided to the NZ Privacy Commissioner.

"It's evident from the report that a lot needs to change before public confidence in ACC can be restored," Shroff said.

"I believe it can be done, but only if ACC takes the review's findings seriously and gives its staff the support they need to implement the necessary changes."

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies