The Earthquake Commission in New Zealand has been in the news over the past few days, due to a privacy breach where an EQC staffer mistakenly sent a spreadsheet by email to the wrong recipient. Ian Simpson, the CEO of EQC wrote yesterday:
“Today I confirmed the scale of the privacy breach on Friday was larger than first thought.
It has been very disappointing to learn today that the spread sheet released in error on Friday could be manipulated to provide details of every claim in the Canterbury Home Repair Programme.
This means that the number of claim details released was potentially as high as 83,000. No names were released.
It would take a detailed examination of the spread sheet to view this information, and it was not apparent that it was accessible when I provided information to our customers on Friday.
It’s important to note that we have undertakings from the recipient that the information was destroyed, so the information is no longer available to anyone outside EQC.
However, this does not excuse the lapse that has allowed so much private information out, no matter how briefly. I unreservedly apologise to all our customers in the Canterbury Home Repair Programme.
As I said on Friday, we are reviewing our systems to prevent this from ever occurring again.
EQC has turned off the ‘auto populate’ function in Outlook so that email recipients can’t be entered in error, but our long term solutions focus on using more secure methods of data transfer than email to protect our customers and ourselves from future breaches.“
And our Prime Minister, John Key, has said the EQC staffer involved should not be sacked.
Michael’s Comments
1. Turning off auto-populate is a knee-jerk reaction. It’s a neat productivity feature for people using email. It’s the wrong strategy for the EQC.
2. There are some good alternative approaches to sharing information in a secure way, and the EQC needs to get onto these immediately – not as a long term strategy. Creating shared, secure repositories of data relevant to an external organization, with auditing capabilities to see who has access to what, should be investigated ASAP … and implemented within a month.
3. In the immediate short term – i.e., this week – the EQC needs to start investigating data leakage protection / prevention software. This class of software tools scans outgoing email messages and if something remiss is found, it blocks the transmission (or highlights it for review by a human being). Given the sensitivity of the information the EQC is dealing with, and the already tenuous timeframes people are struggling under for getting their houses and property fixed, the EQC can’t afford another such public situation.
4. This privacy breach was identified and made public. Speaking broadly and not about the EQC now, many other breaches are never identified. Organizations just don’t have the systems in place to ensure email is used effectively, and that sensitive or confidential information isn’t released. It’s time to do something about it – and not just by the EQC.
Categories: Culture & Competency, Tools & Technologies
Michael Sampson 
In extreme conditions we can have a mail scanner to monitor the email transactions but it may affect the quality of service.
Here’s a question coming from different direction. Do we actually want to stop these sorts of breaches from government, or is this a good way for New Zealanders to actually get to the truth. In all the media, I’ve not seen any EQC claimant complain about the breach, but rather the unfairness of how they have been dealt with by EQC.
Breaches of this nature have in the past revealed a lot more about the organisation from which they have come. When I think about ACC, their breaches highlighted some significant issues with their corporate culture along with questions which were being raised about their processes. The upside has been that positive change has taken place.
A different view indeed Vaughan. What I hear you saying is that employees should actively share confidential business information that highlights the flaws in the business’s operating approach. That’s a fairly extreme approach to whistle blowing. What protections would you suggest should be in place for an employee who does actively distribute such information and it turns out they were wrong about the organization?