New Zealand’s privacy law is falling behind the rest of the world and threatening consumers’ personal data, according to a leading cyber risk management expert.
Under the current law, if a New Zealand company experiences a data breach (such as a hack or accidental leak of customer data) the company is not obligated to inform the affected consumers.
This means that customers’ personal data, including credit card details, tax information and medical histories, could be being passed around online without their knowledge.
The managing director of Delta Insurance Ian Pollard, says New Zealand is out of step with international data-security standards and New Zealanders are at greater risk of having their personal information leaked.
“New Zealand ranks fourth in APEC (The Asia Pacific Economic Cooperation forum) for cyber attacks, we simply cannot afford to be complacent on this issue,” Pollard says.
Pollard says while New Zealand’s data security laws do not currently require mandatory notification in the event of a breach, Kiwi businesses operating internationally do need to abide by the standards of the countries they are doing business in.
In addition, Pollard says the USA is one of the most advanced in this regard, with 47 out of 50 states already having mandatory breach notification laws in place, and there are moves towards putting federal laws in place to govern the entire country.
New EU laws are also on the way, scheduled for implementation in late 2015 to early 2016 thanks to updates to the EU Privacy and Human Rights Law.
Pollard says the new regulations will apply to all 27 member states and are expected to significantly change the privacy and data-protection landscape - they will introduce stricter requirements for reporting data breaches within 24 hours of detection with penalties of 1 million Euros or 2 per cent of the company’s global revenue for non-compliance.
Across the Tasman, Australia has also announced that legislation requiring mandatory breach notifications will be introduced later this year, changing the current status quo where it is recommended but not legally required.
Closer to home however, existing laws have served New Zealand well, Pollard says, but they are in need of an update to reflect the changing online landscape.
“The New Zealand Privacy Act was written in 1993 to tackle the problems of the time, but the modern cyber-security environment and proliferation of data have grown in ways that were difficult to predict,” he adds.
Pollard says the government should be careful to avoid creating laws that are too onerous for New Zealand businesses, as the laws adopted by some nations might be too difficult to comply with for smaller New Zealand companies.
Consequently, Pollard says a notification period of fourteen-days would be more suitable for New Zealand’s business environment, but that the notice period could vary with on the size of the company and the kind of data that was breached.
“Getting the right protections in place is vital, not just for consumers but for businesses as well; a legal battle over a breach can be extremely costly to business both in terms of legal costs and brand damage,” he adds.