Are data breaches notifiable in New Zealand?
Find out if data breaches are notifiable and how cyber insurance can help.
Unlike other countries, such as Australia, it’s currently not mandatory to report a data breach in New Zealand. But the government is working on a new Privacy Bill that will better protect information collected and stored digitally. The Privacy Bill will likely come into effect in 2020.
This will mean that all qualifying business entities will need to report a data breach to the New Zealand Privacy Commissioner or potentially face a fine. They will also need to notify any third parties who are likely to be harmed by the breach and advise them of what action they should take.
Qualifying entities will include any businesses or organisations that are currently subject to the Privacy Act. This includes many government agencies, organisations with a high annual turnover, credit providers, credit reporting bodies, holders of tax file numbers (ie, accountants) and any businesses that collect sensitive personal information (ie, health service providers, child care centre, GPs, pharmacies etc).
What is a notifiable data breach?
A notifiable data breach is a breach that occurs when personal information is lost, accessed or disclosed without authorisation and is likely to cause serious harm to someone as a result.
A data breach is said to occur in the following situations:
- There is unauthorised access, disclosure or loss of personal information.
- It is likely to result in serious harm to one or more people.
- Remedial action has failed to prevent the risk of serious harm.
Notifiable data breach
Examples include a company server containing personal information being hacked, an employee disclosing personal information without authorisation, a mobile device containing personal information being lost or stolen.
Examples might include:
- Physical harm
- Mental harm
- Financial harm
- Reputational harm.
Examples include failing to prevent the risk of that harm occurring would be if someone leaves a business laptop containing personal information on a train and later attempts to wipe the laptop’s hard drive remotely using data eraser software are unsuccessful.
What will this mean for businesses?
The implications for businesses being required to report notifiable data breaches will include the following:
- Potential fines for individuals and organisations who fail to report breaches.
- The urgent need for an effective risk management plan to handle any potential data breaches.
- The urgent need for cyber liability insurance to protect the business from liability.
An effective risk management plan would include identifying personal information at risk and increasing its protection by upgrading security and policies as well as having sound procedures for responding to a breach and minimising its impact.
How can insurance help?
The introduction of a notifiable data breaches scheme is likely to see a sharp increase in the number of businesses seeking to protect themselves from liability with cyber insurance.
A good cyber insurance policy will cover these main areas of risk:
- Technology professional services. This covers your liability for committing an error while providing technology services to others.
- Customer support and reputational expenses. This covers the cost of notifying those affected by a breach, investigating the breach and repairing the reputational damage.
- Multimedia liability. This covers legal costs and penalties awarded for online breach of copyright.
- Business interruption/loss of income. This covers losses incurred while being unable to do business because of a breach.
- Security and privacy liability. This covers legal defense costs and penalties awarded as a result of a breach.
- Cyber extortion. This covers the forensic costs and ransom payments associated with a cyber-extortion attack.
As well as financial protection, some cyber insurance policies even provide hands-on assistance in the form of access to an incident response team. This is a team of specialists who can provide help with reporting a breach and contacting affected parties as well as investigating and resolving data security issues.