Privacy Commissioner John Edwards says the infamous hack of up to 500 million Yahoo email accounts demonstrates the importance of New Zealand introducing mandatory breach notification.
Edwards said: “The fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification.”
He added: “When agencies lose customer data, they need to help those customers take steps to protect themselves by alerting them as quickly as possible.
“This is particularly true with a breach of this size and with such sensitive information. Email accounts are often a central repository of peoples’ online identities, so a compromised email account can lead to other information being compromised, such as banking and medical information.”
Edwards said the breach had affected only a small portion of the 825,000 email accounts that Spark provides to users through its partnership with Yahoo and he praised Spark for its prompt response. “We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it.”
The Yahoo hack included names, email addresses and security questions and answers used to reset passwords. It is not yet clear when Yahoo learned about the hack, which took place in 2014.
Edwards said the hack exemplified the international nature of privacy, noting that the US Federal Trade Commission and Irish Data Protection Commissioner were already working together to make enquiries into the incident.
Proposed reforms to the Privacy Act include mandatory breach notification, where agencies must report breaches of a certain scale. These reforms are due to be tabled in parliament in 2017.
The Australian government has indicated it intends to push ahead with legislation to create a mandatory data breach notification scheme.