The Earthquake Commission was warned last year that it risked breaching claimants' privacy, it emerged yesterday, as Prime Minister John Key came under fire for downplaying "a serious and widespread" data security problem across government departments.
Almost a year to the day after the Bronwyn Pullar ACC email blunder was first reported, EQC claims manager Susan David on Friday accidentally sent an email with an attachment containing details of 83,000 Canterbury quake claimants to insurance advocate Bryan Staples.
EQC was warned about the risk of such a security breach by claimant and IT consultant John Bryant late last year, he told the Herald.
After EQC supplied Mr Bryant with information about its data security practices Mr Bryant told the commission that its response "highlights the problem of human error and mistake which no amount of policy can overcome, and was apparently the source of some of the debacle with ACC emails being released containing information that should not have been".
Yesterday, he said that for EQC to be using "unencrypted datasets" like the spreadsheet emailed to Mr Staples, was "stupid".
"Basic IT 101 says you never put your datasets anywhere near a public email system.
"This is exactly what happened with ACC," he said.
The ACC breach prompted an inquiry led by former Australian privacy commissioner Malcolm Crompton who warned in his report the "human error" made more likely by "systemic weaknesses within ACC" could have happened in any government department in New Zealand.
Mr Key yesterday said he didn't believe the latest breach sugges-ted any systemic private data handling issues across the public sector.
"What's happened is government departments are, like everybody else in the private sector, using technology more. It makes them a little more prone." He downplayed the blunder as "a simple error", rather than a breach of privacy rules.
"The question is, is this an issue where people have broken the privacy rules or is this a situation where people have failed to administer the basic sending of an email properly and I think it's the latter not the former."
Labour leader David Shearer said Mr Key was "arrogantly" dismissing the concerns of the 83,000 Canterbury households affected by the breach "by playing the fool and refusing to take action to prevent it happening again".
"It's clear evidence of a serious and widespread problem with the security of our Government information systems.
"Yet this Prime Minister's response is to simply laugh, shrug his shoulders and say 'oh well, it's just like putting the wrong address on an envelope'."
Earthquake Commission boss Ian Simpson yesterday offered to resign over the affair but Earthquake Recovery Minister Gerry Brownlee told him he still had his confidence and he should stay on.
Hitting the wrong button
Embarrassing electronic disclosures:
*January 2012: Treasury inadvertently publishes on its website a draft report suggesting treaty protections should be left out of partial asset sales legislation. The report is taken down within minutes but not before a copy is made by Herald political reporter Claire Trevett.
*A journalist goes to send a colleague an email detailing their line of "attack" for an upcoming interview with Prime Minister John Key but sends it to Mr Key's office instead.
*June 2012: 3 News Political reporter Patrick Gower goes to send a text message to Michelle Boag saying she deserves an apology from ACC over the release of a private email but accidentally tweets it to thousands of followers instead.