The privacy commissioner has called for stricter standards on the publication of illegally obtained information
The High Court hitting popular news station Radio New Zealand (RNZ) with an injunction for its leaking of confidential information obtained from cyber attackers serves as a warning to media outlets.
“The court took a strong view that the distress caused to those whose privacy rights in personal and sensitive information would be breached significantly outweighs any inconvenience to those who wished to publicise the stolen information for their own commercial gain,” Simpson Grierson litigation partner Jania Baigent told NZ Lawyer. “An important lesson for media outlets is that they should be particularly careful when considering publishing private and confidential information obtained from data hacked by cyber attackers.”
Waikato District Health Board v Radio New Zealand concerned the theft of a dataset containing sensitive and confidential patient information. The dataset was illegally obtained by “unknown defendants” when Waikato District Health Board (WDHB) fell victim to a cyberattack in May.
After a failed attempt to extort a ransom payment from WDHB, the unknown defendants made the stolen dataset available for download on the dark web.
Two months after the cyberattack, an RNZ journalist contacted WDHB to advise the board of the media outlet’s intention to publish a story about a child patient. The patient’s information had been sourced from the stolen dataset.
WDHB objected to RNZ’s use of the stolen dataset and requested that at minimum, RNZ must delay the broadcast of the story in question 48 hours so that WDHB could take steps to protect the affected patient. However, RNZ released the story early the following morning.
The High Court shot down RNZ’s assertion that its conduct was justified on the basis that the public interest outweighed the breach of confidentiality.
“While those who would wish to publicise the stolen information for their own commercial gain will be inconvenienced…such inconvenience is significantly outweighed by the distress caused to those whose privacy rights in their personal and sensitive information is breached,” Justice Peter Churchman said.
Churchman ordered both RNZ and the unknown defendants to refrain from accessing or disclosing the stolen dataset or its contents without WDHB’s consent. He also ordered RNZ and the unknown defendants to permanently delete all copies of the stolen dataset in their possession.
“This pragmatic approach reflects the realities of how cyber criminals act, particularly in their ability to obscure their identities and other traceable information when using the dark web,” Baigent told NZ Lawyer. “Granting an injunction to unknown defendants in these circumstances gives teeth to the court’s order. It recognises that the identities of the cyber attackers are unknown, and it prevents others from spreading the illegally obtained data to further the aims of the cyber attackers.”
Baigent stressed the need for media outlets to proceed cautiously when considering publishing confidential information obtained from cyber attackers.
“It may be difficult to establish that any public interest in publication outweighs the consequence of arguably assisting cyber attackers in extortion attempts,” she said. “The Waikato District Health Board v Radio New Zealand case shows that the court will prioritise the protection of health information and is prepared to grant injunctions against unknown parties in order to protect confidential and private personal details. This is especially so where the information is obtained from cyber attackers.”
Baigent added that since the judgment was handed down, the privacy commissioner has lodged a complaint with the Broadcasting Standards Authority, seeking stricter standards and codes relating to the publication of illegally obtained information by media outlets.