Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Something for nothing - ACC lessons learnt

Here’s something for nothing - take advantage of the free lesson from our largest accident insurer. In this case, their loss – literally – might be your gain.

It’s a simple bit of risk management. What you invest in time now to prevent data leaks, drips or floods, will save you ten-fold in the long run.

News first broke of the large ACC data breach in March. The independent inquiry report into that breach of personal information, and ACC’s surroundings systems and culture, was released to media and public in August, and is full of detailed findings and recommendations (see http://www.acc.co.nz/PRD_EXT_CSMP/groups/external_communications/documents/reference_tools/wpc114897.pdf).

 It seems pretty clear that there were systemic faults within ACC. But how widespread are those or other similar faults?

We’ve seen painful evidence in the last week or two of other government agencies such as MSD and IRD going through their own public humiliation as they front up to preventable failings.

Data breach notification isn't required by New Zealand law right now, but that may change. See the Privacy Commissioner’s data breach notification guidelines for starters.These are the minimum standards we expect businesses to have complied with if we are inquiring into a breach.

But regardless of the specifics of the law, most responsible agencies are willingly notifying clients if their data is compromised. That way, you at least have the chance to try and front-foot the problem. The cost of sorting things out is still there – whether or not it is required by law.

Precious time and resources

And if you are having trouble persuading others in your organisation about the need to up their game, you might draw their attention to the amount of work they will otherwise face if and when the data trickle becomes a torrent. Talk to colleagues at ACC; MSD, or even Sony.

Figuring out what information has been at risk may itself be a time consuming exercise. Similarly, it can be quite a task to figure out who has been affected. It could easily be many thousands of files; documents and clients.

And then you need to get on and do the grunt work of contacting people – and dealing with all the fallout and the flack. It ain’t no picnic!

No time for complacency

The public sector can’t afford to be complacent. ACC’s effective monopoly as an accident insurer may have contributed to its organisational culture and, ironically enough, its inability to see risk for what it was.

The upshot was that Bronwyn Pullar became something of an urban hero and the unshackled spreadsheet of sensitive claimants came to represent all that can go wrong in a digital bureaucracy. Life on our digital platforms may be fast-paced, but quick doesn’t always equal smart.

Perhaps the competitive driver in the private sector gives businesses a reality check over their state-side cousins. Drop the ball too badly and you’ll lose business. Some of the banks are pretty clued up to this.

Recent comments by the State Services Commissioner Iain Rennie, though, are heartening. He called the ACC inquiry report a ‘dramatic reminder’, and went on to suggest a state-sector stocktake and overhaul. It’s exactly the right thought. Let’s hope something like that happens. The findings from the newly announced GCIO’s review will fill in some bits of that picture.

Start at the beginning

So where do you begin? Start from the start and self-audit your information handling processes. Take a hard look at what your organisation says it does with people’s information, and what it actually does. Reflect on the culture. Examine the systems.

You might have a look at the guide put together for Australian directors[1] a few years ago (See: “A Guide for Directors, Privacy & Boards: What You Don’t Know Can Hurt You,” www.privacy.gov.au). You might find the list of questions that directors should ask a good launch pad.

We’d quite like to do something similar for New Zealand businesses and organisations. It could just help to avoid another lengthy and expensive mea culpa from the next government department or corporate.



[1] The Australian Institute of Company Directors and the Australian Federal Privacy Commissioner’s Office “A Guide for Directors, Privacy & Boards: What You Don’t Know Can Hurt You” (www.privacy.gov.au).