The New Zealand Government has announced its intention to introduce a mandatory data breach reporting law as part of a raft of proposed changes to its privacy legislation.
If New Zealand’s Privacy Act reforms are passed, NZ businesses will be required to report data breaches, face audits and receive fines.
Under the proposed reforms, data breaches will be notified to the Privacy Commissioner and could be a precursor to audits of security measures.
This would rightly be cause for concern for all companies dealing with personal information in New Zealand.
There are some very important questions that they'll want answered in the exposure draft legislation:
- The definition of a “breach”: Is this only where personal data is deliberately accessed by a third party, or could it be any loss of a device or even a misdirected email? Is accidental loss of data which may have a low risk of consequent harm properly grouped together with malicious access?
- The threshold level of risk of harm before notifications are made both to the Commissioner and affected persons: The information released about New Zealand’s proposed laws talk of a first tier notification to the Commissioner of “any material breaches” and a second tier notification to affected individuals where there is “a real risk of harm”.
Notices are useful where they can realistically allow an affected individual to prevent or mitigate serious harm. This appears to be the balance reached in the current (non mandatory) guidance material published by the New Zealand Privacy Commissioner.
The new laws are likely to go much further.
It is important, however, that the threshold is set high enough such that organisations aren't required to give notice where there is a very low risk of harm. That would be both a poor use of resources of corporations and the Privacy Commissioner.
I anticipate that mandatory breach notifications could have an unexpected side effect: they could boost the appeal of global IT providers, which can be used by organisations to “outsource” the risk of a security breach to the cloud.
The security measures employed by the world’s largest cloud computing providers are likely to be more advanced that the means of all but the largest of New Zealand’s companies. A New Zealand-based company might further see it as a greater risk to brand reputation if their own infrastructure was breached, compared to getting caught up in a broader breach at a large global cloud provider.
It should be noted that efforts to pass mandatory data breach notification laws in Australia have not met with success.
There is likely to be a downside to creating special procedures for companies doing business in New Zealand if they can't secure the agreement of cloud providers to meet onerous regulatory needs, or if the cost of services to the NZ market increase as a result.
On thast basis it is important to weigh the utility of a mandatory notice for every breach (even those where the likelihood of any harm is minimal) against the burdens to be placed on companies doing business in New Zealand.
Similar laws to those proposed in the NZ reform apply in all US states, and in many cases the detailed reporting requirements have led to class action law suits from affected individuals seeking compensation for lax or negligent approaches to cyber security. The notifications tend to make public details of breaches which would otherwise not be known.
Cloud computing is going to be a key driver of the global success of New Zealand businesses in the next 20 years, particularly given the country's geography. We need to think very carefully before erecting any unnecessary barriers.
Mark Vincent is a partner at Shelston IP lawyers, and a specialist in digital law. He has represented both cloud service providers and large organisations engaging with them.