Finder is committed to editorial independence. While we receive compensation when you click links to partners, they do not influence our content.
Are data breaches notifiable in New Zealand?
Find out if data breaches are notifiable and how cyber insurance can help.
On 24 June 2020, the government passed a new Privacy Bill that will better protect information collected and stored digitally.
This means that all qualifying business entities will need to report a data breach to the New Zealand Privacy Commissioner or potentially face a fine. They will also need to notify any third parties who are likely to be harmed by the breach and advise them of what action they should take.
Qualifying entities will include any businesses or organisations that are currently subject to the Privacy Act. This includes many government agencies, organisations with a high annual turnover, credit providers, credit reporting bodies, holders of tax file numbers (ie, accountants) and any businesses that collect sensitive personal information (ie, health service providers, child care centre, GPs, pharmacies etc).
What is a notifiable data breach?
A notifiable data breach is a breach that occurs when personal information is lost, accessed or disclosed without authorisation and is likely to cause serious harm to someone as a result.
A data breach is said to occur in the following situations:
- There is unauthorised access, disclosure or loss of personal information.
- It is likely to result in serious harm to one or more people.
- Remedial action has failed to prevent the risk of serious harm.
Notifiable data breach
Examples include a company server containing personal information being hacked, an employee disclosing personal information without authorisation, a mobile device containing personal information being lost or stolen.
Examples might include:
- Physical harm
- Mental harm
- Financial harm
- Reputational harm.
Examples include failing to prevent the risk of that harm occurring would be if someone leaves a business laptop containing personal information on a train and later attempts to wipe the laptop’s hard drive remotely using data eraser software are unsuccessful.
What will this mean for businesses?
The implications for businesses being required to report notifiable data breaches will include the following:
- Potential fines of up to $10,000 for individuals and organisations who fail to report breaches.
- The urgent need for an effective risk management plan to handle any potential data breaches.
- The urgent need for cyber liability insurance to protect the business from liability.
An effective risk management plan would include identifying personal information at risk and increasing its protection by upgrading security and policies as well as having sound procedures for responding to a breach and minimising its impact.
How can insurance help?
The introduction of a notifiable data breaches scheme is likely to see a sharp increase in the number of businesses seeking to protect themselves from liability with cyber insurance.
A good cyber insurance policy will cover these main areas of risk:
- Technology professional services. This covers your liability for committing an error while providing technology services to others.
- Customer support and reputational expenses. This covers the cost of notifying those affected by a breach, investigating the breach and repairing the reputational damage.
- Multimedia liability. This covers legal costs and penalties awarded for online breach of copyright.
- Business interruption/loss of income. This covers losses incurred while being unable to do business because of a breach.
- Security and privacy liability. This covers legal defense costs and penalties awarded as a result of a breach.
- Cyber extortion. This covers the forensic costs and ransom payments associated with a cyber-extortion attack.
As well as financial protection, some cyber insurance policies even provide hands-on assistance in the form of access to an incident response team. This is a team of specialists who can provide help with reporting a breach and contacting affected parties as well as investigating and resolving data security issues.
More guides on Finder
Artificial intelligence stocks
You might think that AI is just something you’ve seen in sci-fi movies, but it’s slowly working its way into our day to day lives. Find out how you can invest in it.
Find out what renter’s insurance is, what it covers and how to find the right policy for your needs.
Professional indemnity insurance vs public liability insurance
Want protection against liability and negligence claims? Find out why professional indemnity and public liability insurance cover are essential for many businesses.
Business insurance for home-based businesses
If you run a business from home you need to make sure your business is properly insured. Read our guide to this specific type of business insurance and learn how to cover your home business.
Professional indemnity insurance for financial advisers
What is professional indemnity insurance and why is it so important for financial advisers in particular to have it?
End of financial year checklist for small business
The end of the financial year can be a stressful time for small business owners, but there are a number of steps you can take to manage your business’s finances and plan strategically for the future.
Insurance for Massage Therapists
If you are a massage therapist, you’ll need to consider business insurance including professional indemnity cover.
Your guide to product liability insurance
Understand what product liability insurance is by reading our short guide.
Business insurance for importers
What is importers insurance? Find out why it’s essential if your business imports products to New Zealand.
Business contents insurance
Taking out insurance for your business contents is an essential consideration for all business owners. Read on to find out all about the ins and outs of business contents insurance.