Compulsory Data Breach Notification May Impact New Zealand Business Too.
On 22 January 2018 Australia’s “Notifiable Data Breach Regime” (NDPR) takes effect.
Under the NDPR an entity subject to the Privacy Act 1988 (Cth) must notify the Office of the Australian Information Commissioner, (OAIC) and take steps to notify affected individuals where unauthorised access or disclosure or loss of private information which is likely to result in serious harm to any individuals occurs.
Organisations incorporated or located outside Australia are also subject to the Privacy Act if they collect personal information from an individual who is physically located in Australia, for example, via a website hosted outside Australia.
The World Wide Web has few, if any geographical boundaries. A New Zealand company distributing products online is very likely to have customers in Australia. If those customers are individuals the company is almost certainly collecting personal information about those customers.
Service companies in New Zealand may well be providing services which require them to hold personal information collected from individuals in Australia.
The OAIC refers to entities subject to the Australian Privacy Principles contained in the Privacy Act as “APP Entitles”. Under the NDPR if an APP Entity suspects an unauthorized access or disclosure of personal information (information or an opinion about an identifiable individual) it must:
- Within 30 days, assess whether the incident is likely to result in “serious harm” to any individual to whom the information relates. Serious harm is not defined. Instead the Act gives a number of factors to be considered including; the type of information, the sensitivity of the information, the type of people likely to have gotten hold of the information, security measures (such as encryption) and the likelihood that those measures will be overcome. If a reasonable person would conclude that serious harm is likely to result, there is an “Eligible Data Breach”.
- If there is an Eligible Data Breach notify both the OAIC and the affected individuals.
Despite the 30 days for investigation, if it is clear that there is an eligible data breach the APP entity must notify both the OAIC and the affected individuals as soon as practicable. The OAIC sets out the four steps in managing eligible data breach as; containment; evaluation; notification; prevention of future breaches.
As well as the cost of completing the recommended steps, the OAIC may decide to seek civil penalties for the breach. The direct and indirect costs of a breach could have a significant adverse impact on the affected company.
However, companies with less than $3,000,000 turnover may not be considered APP Entities unless they are a health service provider, trade in personal information (e.g. buying or selling a mailing list), or engage in certain other types of activity such as operating a residential tenancy database or contracting to the Australian Commonwealth government.
New Zealand companies may also be caught by the EU General Data Protection Regulation (GDPR) which takes effect on 25 May 2018 and also has a compulsory breach notification requirement (within 72 hours of discovery). One international privacy law expert has described the GDPR as “the strictest privacy law in the world.” It gives EU citizens rights to erasure and portability of data (amongst other things), provides for fines up to 4% of global turnover for non-compliance and applies to any organization that offers goods or services or engages in monitoring within the EU.
The good news is that many of the costs of a data breach can be covered by a Cyber Insurance policy. A cyber insurance claim is highly technical. An insured wants to be sure the loss adjuster appointed has the requisite skills to assist speedy resolution. GB has a cyber claims service that integrates technical expertise, with an understanding of policy coverage. Our cyber team blends loss adjusting, project management experience with deep IT domain knowledge to ensure an appropriate and timely claim response.
For more information on cyber claims and how compulsory data breach notification may impact NZ businesses, contact us today.