In this guest blog, looking at the issues behind the ISP Spotlight, New Zealand's Privacy Commissioner John Edwards talks about why it is important that ISPs tell customers when their data is breached.
Losing information, communicating honestly and taking control
If you trusted someone to look after something for you, you'd expect them to tell you if they lost it, right? Personal information is no different. If your ISP loses your information, sends it to the wrong place, has it stolen by hackers or accidentally publishes it, you expect them to tell you.
That's why Internet NZ's inclusion of data breach notification in their ISP Spotlight review is important. Data breaches - where agencies have lost or leaked personal information - can be a jarring loss of control for the people affected or involved. They find out that their personal information was not as secure as they had assumed or expected, and they now don't know whose hands their information is in.
It creates a sense of uncertainty and unease.
People make complaints to my Office because they disagree with the way their personal information has been used, or they don't think it has been looked after properly. Often this makes them feel like they've lost control over their personal information - and over how decisions are made about them.
Imagine then, what it is like to find out second-hand that a business you trusted has lost control of your personal information. You'll have questions - when did it happen, how long has my information been exposed, who has it, what are you going to do about it, and who do I talk to about this?
ISPs should have a policy
You should expect your ISP to have a policy to let you know when something goes wrong. You don't want to deal with the stress of researching and answering these questions yourself – and you don't want to have to rely on the news media or social media to tell you what you need to know.
You get peace of mind, but your ISP benefits from this approach too. Being proactive comes across as more genuine than saying "we take our customers' privacy very seriously" in a media release or on a website. ISPs should let customers who might be affected know about the incident directly. This opens a line of communication for them to tell you exactly what went wrong and why, and it gives you the opportunity to ask questions. You want to be able to take steps to get ahead of any fallout - ISPs can also give suggestions about what you can do to minimise any potential harm (for example, to change passwords or secure linked accounts).
My Office protects people's ability to make decisions about their own information. It's not up to your ISP to decide whether the harm of a breach will be minimal. Minimal to them can appear gigantic to you depending on where you are standing. What a business thinks customers need to do to secure their personal information is not an objective fact - you might want to take further steps to feel safe or in control, and that's an important ability to protect.
My Office put together a Data Safety Toolkit to help agencies like ISPs respond to data breaches. My staff are also happy to assist both ISPs and individuals in talking through the specifics of a breach response - whether a breach is happening right now, or you just want to be prepared.
It's important that ISPs are backing up their notification policies with the right resources. Sending an email out to customers and then not being able to respond to any replies is not useful to anyone, and it diminishes the goodwill earned by being honest and upfront.
The ISPs that choose to tell customers about breaches know that information privacy is about more than legal compliance. They know that good privacy culture is about going beyond the minimum requirements outlined in the Privacy Act and that there's value in working to earn and maintain your trust. It recognises the importance their customers place on control.
Strong communication is the foundation to any good relationship. ISPs have a vital relationship with your customers, so you shouldn't be the last to know.
Data breach notification is one of the issues that ISPs are rated on in the ISP Spotlight website. See more here: ISP Spotlight