Latitude Financial Services has been criticised for holding on to historic data of New Zealanders and a "she'll be right" attitude after the company was hit by a major data breach.
Latitude reported last week 7.9 million Australian and New Zealand driver's licence numbers were stolen in its cyberattack – 3.2 million of these were from the last 10 years.
A further 6.1 million customer records including some but not all of the Australian and New Zealand customers' names, addresses, phone numbers and dates of birth were stolen in the attack.
READ MORE: Popular Russian military blogger killed in bomb blast
New Zealand's deputy privacy commissioner Liz MacPherson claimed some of the records taken from the country's residents are up to 18 years old which "isn't okay" and reveals the broader issue of data retention.
"Data retention is the sleeping giant of data security. There are consequences for holding onto data you no longer need," she said.
"All businesses and organisations can learn from this: don't collect or hold onto information you don't need. The risk is simply too high for your customers and your organisation.
"Don't risk being a hostage to people who make it their day job to illegally extract data."
READ MORE: Property prices rise for first time in 10 months
MacPherson said there is no place for a "she'll be right" attitude to cyber security.
"People make their fortunes from hacking the security of agencies," she said.
"Having sea borders does not protect your very internet-connected agency from being hacked."
She said companies should not be collecting or retaining personal information for so long unless it is for a lawful process.
"The simple discipline of deciding how long information will be retained as you collect it and acting on these decisions will save you and your customers a lot of pain," she added.
New Zealand's privacy laws say that companies cannot retain personal information "for longer than is necessary for the purposes for which it may lawfully be use".
If there is a legal reason for keeping the data, the company can continue to do so otherwise it must be erased but there is no explicit timeline of what "longer than is necessary" means.
In Australia, the Telecommunications Act says companies can keep information for identification purposes for at least two years.
And the Privacy Act says personal information should be destroyed when the company no longer needs it for "any purpose" however there is no timeframe for how long a company can keep data.
READ MORE: War-crimes warrant for Putin could complicate Ukraine peace
As Latitude and Australian and New Zealand authorities investigate the extent of the hack, MacPherson said some key questions need to be answered by the financial company.
"These include how the cyber-criminal got in, how they managed to penetrate so far and why so many records have been retained for so long," she said.
Latitude is in the process of contacting all affected customers about what was stolen and how they will be assisted.
The company announced it will pay for customers who need to replace their driver's licence.
"It is Latitude Financial's responsibility to put things right," MacPherson said.
"It is important that affected customers give Latitude a chance to make good on their commitments to provide support.
"However, if after people have worked with Latitude their privacy harms have not been resolved to their satisfaction, we encourage them people to make a complaint."
Sign up here to receive our daily newsletters and breaking news alerts, sent straight to your inbox.