New Zealand’s Privacy Commissioner John Edwards issued a statement about the conduct of some NZ media with respect to the Waikato DHB ransomware incident and data dump. While I have great respect for both the commissioner and his office, his statement seems to suggest that press should self-censor or be censored when it comes to investigating and reporting on breaches involving stolen personal and sensitive information.
Using discretion about what to report if it may harm or embarass others is an acceptable recommendation and within the ethics code for journalists. Imposing censorship of the press is not acceptable.
Commissioner Edwards’ statement appears below, followed by my thoughts and response to his statement.
Privacy Commissioner John Edwards is very concerned about RNZ’s reporting of personal information which was taken from documents leaked online following the Waikato DHB cyberattack.
“This reporting would appear to raise quite significant ethical questions, and I would be concerned to think of journalists trawling through illegally obtained deeply sensitive personal information to identify and generate stories. The fact that one media source would appear to have done so may prompt others to do so – effectively creating a market for, and monetising, this very personal material,” says Mr Edwards.
“It is essential that people – including media – respect the personal information of others. Any information which has come from the Waikato DHB ransomware breach is likely to be sensitive personal information, which is likely to cause a great deal of anxiety to the people affected.
Journalists should not be accessing this information and should in no case contribute to its more widespread dissemination. Doing so only adds to the distress of those whose personal information has been disclosed.”
The Office of the Privacy Commissioner is currently considering whether the matter ought to be brought to the attention of the Broadcasting Standards Authority and/or the New Zealand Media Council.
The ethics code for the Society of Professional Journalists can be found here.
My comments on Commissioner Edwards’ statement:
I appreciate the commissioner’s concern for those whose sensitive data was stolen and dumped, but his statement “Journalists should not be accessing this information and should in no case contribute to its more widespread dissemination,” would seemingly demand that we abandon our obligation to report accurately — or if he has his way — to report at all. Neither serves the public well.
The ethics code for journalists requires us to attempt to verify our facts so we can report accurately. But how can we verify a breach claimed by criminals if the entity doesn’t answer questions, doesn’t disclose details transparently, and declines to answer questions citing privacy considerations? Under such circumstances, the commissioner may want us to forego reporting altogether, but that does not serve the public well. Despite what the commissioner advocates, the press sometimes needs to access and inspect stolen data so that we can report accurately. Do we really want to let unexamined and unverified claims stand in the public record? How many entities have been incorrectly named as being victims of a breach, only to have the record corrected because a journalist actually examined a data dump and found that it did not come from the entity the criminals had named? DataBreaches.net has corrected a number of false claims in the media precisely because we did examine dumps of stolen data and found that they did not come from the source named by the criminals.
Then, too, all too often victim entities try to cover up or minimize breaches, and many breaches would likely never come to light if not for some news outlet reporting on it despite an entity’s silence and ignoring of inquiries.
It is the press’s role to challenge such claims so that the public — and the real victims — are accurately informed about the severity and scope of an incident.
Will it upset some people to learn that their sensitive information may be caught up in a dump? I have no doubt that some may be upset. If I report that your doctor’s network was hacked and all the patient files are up for sale on the dark web, will it worry you or embarass you? Perhaps. But are you really better off not knowing? I don’t think so, and DataBreaches.net has received numerous comments and thanks over the years for reporting on breaches in ways that let people know how bad the breach really was when the entity itself had downplayed the scope and seriousness of a breach.
The commissioner shouldn’t be aiding and abetting entities in covering up or minimizing a breach by telling journalists not to look at the data or to report on it if reporting on it might lead to further dissemination of data. His approach will only encourage entities to stonewall journalists and hope that the commissioner will protect them from exposure in service of protecting the victims.
Yes, there may be situations in which the media may sensationalize a breach or write click-bait headlines, and we can certainly discuss that. I have no concerns about Commissioner Edwards raising the issue of how to balance reporting with protecting the privacy of individuals. But censoring the press or prior restraint on speech or journalism is not a solution. More sunlight is.