Data Breach Notification Law - New Zealand falling behind


This week the Australian Senate passed legislation that will see a mandatory data breach notification scheme that should be in place this year. The scheme applies to only government agencies governed by the Privacy Act and businesses with a turnover of over $3m per year. Penalty provisions are $360K for individuals and $1.8m for organisations. The definition of a serious breach is deemed to have occurred when there is unauthorised access to, loss or disclosure of customer information which may cause a real risk of serious harm to the individuals concerned. The type of information, but not limited to, includes personal details, credit and tax information. 'Harm threshold' involves serious, physical, psychological, emotional, economic, financial or reputational harm.

Organisations are able to mitigate a suspected data breach by taking certain actions. There are cited examples; such as a stolen or lost device being remotely wiped before its content can be accessed. It further mentions a smartphone being left in a taxi and where the individual can be certain the driver did not access the device. Where a breach is suspected it is required to undertake an assessment within 30 days and if a specified criteria is met to inform the Privacy Commissioner.

The Federal Government in Canada is in the final stages of enacting legislation to report cyber security breaches, as part of the Digital Privacy Act 2015 that awaits the specific regulations to be promulgated.  Like Australia there is a reporting regime to the Privacy Commissioner with penalties of $100K for non compliance. There is no turnover limits so the Canadian legislation appears more encompassing than Australia.

In New Zealand the Privacy Commissioner has issued Privacy Breach Guidelines which encourage a notification process, but this really has no teeth, as there is no penalty regime other than the being sanctioned. As far back as 2011 the Law Commission initiated its privacy law review, a subsequent Cabinet paper in 2014 agreed with the recommendations specifically with a two tier process; (i) entities to notify the Commissioner of material breaches (ii) more serious breaches a dual notification to the Commissioner and the affected individuals. Non compliance would see a fine of $10K, with the apparent perception the 'naming and shaming' is an effective deterrent rather than being financially punitive.

Within business the integrity of data protection safeguards and management should be a hardwired governance requirement, no different from other mandatory compliance such as accounting standards.  A tough penalty regime with both consequences of potential reputational damage and financial penalty provide a strong incentive to manage privacy indiscretions and to ensure internal processes are implemented to best practice standards. In May 2016 NZ Justice Minister Amy Adams stated her intention to release a new draft of a Privacy Bill by the end of 2016 - yet to be seen. Given the dealing of notification of data breaches is only one element of a wider revamp of the Privacy Act, being election year it is anyone's guess as to when New Zealand will catch up. 

Privacy concerns evoke a great deal of emotion and concern,  as actual real personal data is capable of being exploited for identity theft or other nefarious purposes.  This is even more prescient as  businesses enable their data in the cloud or hybrid solutions, where it may not be adequately protected, or exposed to weak or sloppy process. This represents a far greater threat than Google, Facebook, Apple et al tracking your online activity. 

Within this brief synopsis we have linked to the source material. Whilst NZ falls behind in this it should not be an excuse in the interim to disregard best practice. At Move37 Consulting we understand these business risks and the strategies to mitigate privacy breaches within your IT resource. 

Gavin Bennett