If New Zealand's Privacy Act reforms are passed, NZ
businesses will be required to report data breaches, face audits
and receive fines.
Under the proposed reforms, data breaches will be notified to
the Privacy Commissioner and could be a precursor to audits of
This would rightly be cause for concern for all companies
dealing with personal information in New Zealand.
There are some very important questions that they'll want
answered in the exposure draft legislation:
The definition of a "breach": Is
this only where personal data is deliberately accessed by a third
party, or could it be any loss of a device or even a misdirected
email? Is accidental loss of data which may have a low risk of
consequent harm properly grouped together with malicious
The threshold level of risk of harm before
notifications are made both to the Commissioner and affected
persons: The information released about New Zealand's
proposed laws talk of a first tier notification to the Commissioner
of "any material breaches" and a second tier notification
to affected individuals where there is "a real risk of
Notices are useful where they can realistically allow an
affected individual to prevent or mitigate serious harm. This
appears to be the balance reached in the
current (non mandatory) guidance material published by the New
Zealand Privacy Commissioner.
The new laws are likely to go much further.
It is important, however, that the threshold is set high enough
such that organisations aren't required to give notice where
there is a very low risk of harm. That would be both a poor use of
resources of corporations and the Privacy Commissioner.
I anticipate that mandatory breach notifications could have an
unexpected side effect: they could boost the appeal of global IT
providers, which can be used by organisations to
"outsource" the risk of a security breach to the
The security measures employed by the world's largest cloud
computing providers are likely to be more advanced that the means
of all but the largest of New Zealand's companies. A New
Zealand-based company might further see it as a greater risk to
brand reputation if their own infrastructure was breached, compared
to getting caught up in a broader breach at a large global cloud
It should be noted that efforts to pass mandatory data breach
notification laws in Australia have not met with success.
There is likely to be a downside to creating special procedures
for companies doing business in New Zealand if they can't
secure the agreement of cloud providers to meet onerous regulatory
needs, or if the cost of services to the NZ market increase as a
On thast basis it is important to weigh the utility of a
mandatory notice for every breach (even those where the likelihood
of any harm is minimal) against the burdens to be placed on
companies doing business in New Zealand.
Similar laws to those proposed in the NZ reform apply in all US
states, and in many cases the detailed reporting requirements have
led to class action law suits from affected individuals seeking
compensation for lax or negligent approaches to cyber security. The
notifications tend to make public details of breaches which would
otherwise not be known.
Cloud computing is going to be a key driver of the global
success of New Zealand businesses in the next 20 years,
particularly given the country's geography. We need to think
very carefully before erecting any unnecessary barriers.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Shelston IP has been awarded the MIP Global Award for
Australian IP Firm of the Year 2013.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
On July 21, the Personal Data Protection Commission ("PDPC") imposed a $5,000 fine on Toh-Shi Printing Singapore for its failure to implement proper and adequate verification procedures...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).