Increased powers to investigate privacy breaches and higher penalties for such breaches are just some of the proposed changes under the government’s plans to overhaul the Privacy Act with dramatic effects for insurers, a top NZ lawyer has said.
Toby Gee, special counsel with law firm Minter Ellison Rudd Watts, said insurers need to be aware they will have significantly greater exposure as a result.
Gee said a two-tier reporting obligation will require organisations to self-report data breaches. All breaches will have to be reported to the privacy commissioner (Tier 1) but serious breaches (Tier 2) will also need to be reported to the persons affected.
Penalties are set to increase from $2,000 to $10,000 for privacy breaches and up to $10,000 for breaching of the reporting obligation.
But Gee says New Zealand could still go the way of other jurisdictions where penalties pack a far greater punch.
“For example, in the UK the maximum penalty is GBP500,000, approximately 50 times higher than the proposed new maximum in New Zealand, and the EU looks set to increase maximum fines to 100 million euros (NZ$150m) or 5% of an offending company’s annual worldwide turnover if higher,” he said.
“So it remains to be seen for how long the New Zealand government will continue to consider the proposed maximum penalty of NZ$10,000 to be adequate.”
He added: “The commissioner will also have increased powers to investigate, and an increased budget to do so. This is likely to be an area of significant exposure for insurers covering the costs of dealing with such investigations, which may rapidly outstrip the maximum fines.”
Gee also warned that there could be a greater likelihood of derivative claims arising from privacy breaches and cyber-crime.
In the USA, banks have launched class actions against retail giant Target for recovery of losses caused by the 2013 hacking which saw 40 million customers’ credit card details stolen.
Indeed, he said New Zealand is already seeing derivative actions in other areas such as failed property developments and failed investment companies, where plaintiffs attempt to claw back money from related professionals such as auditors or lawyers.
He said: “It is probably only a matter of time before similar actions occur against companies or related professional advisors in relation to losses caused by privacy breaches (whether or not involving cyber-crime), particularly where those losses are alleged to be due to inadequate security or inadequate responses to previous security breaches.”
Citing a PwC
information security survey, Gee said that with New Zealand traditionally being regarded as a low-crime environment, its IT encryption and security processes appear to have lagged behind those of other developed countries, making it a soft target for cyber criminals.
“New Zealand is not immune from the global rise in cyber-crime,” he said.
“This, combined with often less stringent security procedures, suggests that New Zealand is at risk of a faster rise than in some other countries, depending on the speed with which New Zealand companies and individuals can bring their IT security precautions up to international best practice levels.”