Yahoo breach shows NZ's need for notification law: PC

New Zealand Privacy Commissioner John Edwards has used Yahoo’s recent disclosure of the theft of 500 million customer records to repeat his call for the government to introduce mandatory data breach notification regulations.

Edwards noted that the hack has affected “a small portion” of the 825,000 email accounts that telecommunications service provider Spark provides to its users in partnership with Yahoo.

Yahoo announced last week that the company has become aware of a data breach from 2014 that resulted in the theft of information on at least 500 million users, including names, email addresses, phone numbers, dates of birth and in some cases unencrypted security questions and answers.

“We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it. However, the fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification,” Edwards said.

“Every day counts in a data breach and agencies need greater incentive to take a leaf out of Spark’s book by promptly telling customers that their personal information has been compromised.”

Proposed reforms to New Zealand’s Privacy Act, due to be tabled into parliament next year, would introduce mandatory breach notification.

Edwards said when agencies lose customer data, they must help consumers take steps to protect themselves, including alerting customers of a breach as quickly as possible.

“This is particularly true with a breach of this size and with such sensitive information. Email accounts are often a central repository of peoples’ online identities, so a compromised email account can lead to other information being compromised, such as banking and medical information,” he said.

Image courtesy of abhisawa under CC