Are you free to use data unintentionally disclosed to you in a data breach? Adam Bennett reports that the New Zealand Earthquake Commission (EQC) has gone to court to block the use of data on 98,000 claims erroneously emailed to someone last month:
The Earthquake Commission has taken out a court injunction against the insurance advocate it accidentally sent thousands of claimants’ records to last month to block him from using the information.
A commission (EQC) claims manager caused a massive privacy breach when she last month accidentally sent Brian Staples of Earthquake Services Ltd a spreadsheet containing confidential details about 98,000 claims.
Mr Staples signed a statutory declaration saying he had deleted the information but later told the EQC he would retrieve the information to use as he pursued payment from the commission for quake repairs on behalf of about 10 of his clients.
The EQC responded by laying a complaint with police.
This afternoon it said it had been granted an interim injunction from the High Court at Christchurch “to prevent any further dissemination of confidential information by two parties from a spreadsheet sent in error”.
“The injunction has been served on Earthquake Services director Bryan Staples and the blogger known as EQC Truths,” EQC chief executive Ian Simpson said in a statement.
[…]
As someone who has recently criticized heavy-handed techniques following breaches to hapless recipients, this case is somewhat different. I wonder whether the data would have been obtainable under NZ’s freedom of information laws.
But if you’re handed valuable information that affects your clients, wouldn’t you try to use it? And should you be able to use it? If it had been disseminated to the press, wouldn’t they able to publish it, thereby putting it in the public domain?