A law change in Australia introducing mandatory data breach notifications is expected to speed up similar legal changes here in New Zealand, according to a cyber risk and breach response expert.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed last week by the Australian Parliament and is now awaiting Royal Assent.
Twelve months from that date, the changes will come into force, affecting all entities currently regulated by the Privacy Act.
DAC Beachcroft partner Mark Anderson
said it was vital for any organisation carrying on business in Australia to ready themselves for these changes by taking the appropriate steps.
“An organisation will be impacted even if not an Australian business if the organisation carries on business in Australia, and the personal information was collected or held by the organisation or operator in Australia either before or at the time of the act or practice,” he said.
“We strongly advise organisations to be ready for these changes by taking advice on appropriate data breach response plans and ensuring their risk management programs, including insurance, are adequate and in place in the event that a breach occurs.”
An ‘eligible data breach’ would arise when there had been unauthorised access to, unauthorised disclosure, or loss of personal information that a reasonable person would conclude was likely to result in serious harm to the individuals concerned, Anderson said.
Entities were exempt from notification if they took sufficient remedial action in respect to a data breach such that the breach would not likely result in serious harm.
Want the latest insurance industry news first? Sign up for our completely free newsletter service now.
Anderson also forecast the timeframe he expected it to take before similar changes took place in New Zealand.
“These changes will likely fast-track similar changes being enacted in New Zealand, where proposals for reform are likely to be enacted in the next 12 months,” he said.
Meanwhile, New Zealand’s privacy commissioner John Edwards has recommended civil penalties against companies of up to $1 million for ‘serious’ data breaches in an attempt to keep up with Australia.
If adopted, the commissioner would be able to apply to the High Court for a civil penalty of up to $100,000 for individuals and up to $1 million for public and private sector organisations, for serious breaches.
Edwards made six recommendations in a recent report on the current operability of the Privacy Act, tabled in Parliament earlier this month.
- Empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
- An update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
- Introducing data portability as a consumer right
- An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
- Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
- Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.
Edwards said he made the recommendations because ‘a lot had changed’ since the Law Commission’s review from 2008-2011.
“Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data-driven enterprise,” he noted.
He said these gaps needed to be addressed in order for the proposed reforms to be effective.
Many NZ businesses lack comprehensive cyber security strategy
Ashley Madison dubbed the cyber liability ‘poster child’