Proposed data breach fines a ‘drop in the ocean’

The New Zealand government is expected to introduce a rewrite of privacy laws into Parliament next year, but one security expert says the proposals are imprecise and don’t go far enough.

Trend Micro’s senior security architect Peter Benson says data breach disclosure laws are long overdue and will bring New Zealand into line with what’s happening elsewhere.

“We are following the world rather than leading,” he says, noting data breach disclosure has been debated in New Zealand since at least 2002.

However, Benson describes proposed penalties such as a $10,000 fine for not notifying the Privacy Commissioner of a breach, as a “slap on the wrist”.

“Liability or decent fines are needed for people who fail to disclose,” he said.

Further, a lot of the provisions remain undefined and may only be defined in case law after a new Privacy Act is passed.

The meaning of terms such as “serious cases”, “enforcing compliance” and “reasonable care” remain unclear.

“I think there will be some interesting cases after the first few months,” he says.

A June Privacy Commission newsletter says the proposed new law will introduce mandatory reporting to the Privacy Commissioner. In serious cases they will also have to notify affected individuals. Failing to notify or obstructing the commissioner will be illegal and carry penalties of fines up to $10,000.

The Privacy Commissioner will also have new powers to issue compliance notices and to independently investigate a privacy issue.

The privacy complaints process would also be streamlined, allowing for groups of people to bring "representative" complaints - similar to class actions.

The reforms are the culmination of a process that began with a four-year-long Law Commission review, resulting in recommendations in a 2011 report. 

“Since the Privacy Act was passed 20 years ago, we have seen huge technology-driven changes. The Law Commission report recognised that individual New Zealanders have countless new opportunities from technological developments, but that there are also real risks,” Privacy Commissioner John Edwards said.

“People's information can be lost or hacked; organisations collect huge amounts of our confidential information and then fail to protect it; individuals can breach others’ privacy by highly offensive internet postings. The law needs to be flexible and strong enough to be able to deal with these kinds of problems.” 

New Zealand’s law is likely to differ from Australia’s in some key ways.

“Some of the reported uncertainty from business groups about the Australian law was based on the Australian Privacy Commissioner’s ability to go to court to seek steep civil penalties for serious or repeated infringements of the law (max of A$340,000 for individuals and A$1.7m for organisations),” a Privacy Commission spokesman explained.

The New Zealand proposals don’t include a fines regime for breaches, just for failing to report them to the Commissioner. People will, however, still be able to go to the Human Rights Review Tribunal to claim compensation for harm caused by breaches.

While there will be no fine for the security failure that caused the breach, the Privacy Commissioner will be able to order agencies to fix their security systems to prevent breaches in the future. 

“The Australian law also made more dramatic changes to agencies’ obligations than our proposals will,” the spokesman said.

“For example, there were previously two sets of privacy laws in Australia: basically, one governing the public sector and one governing the private sector. The reforms have brought them together into one set of principles, and agencies have had to change how they do things accordingly. 

“Here, we’ve always had the same set of principles governing both businesses and government.” 

Benson is optimistic that package will produce a change for the better and drive organisational change and understanding of their accountability to protect private data, even where that is outsourced to cloud-based providers. 

It will also help deliver real threat and breach statistics in New Zelaand for the first time, he said. 

“I have seen a number of significant breaches. A lot are swept under the carpet under the current guidelines,” Benson said.

Benson was the founder of Security-assessment.com which was sold to Datacraft in 2008.