Firms could face fines

A cyber expert believes reporting of data breaches will soon be mandatory in New Zealand, and law firms could face fines or criminal liability for non-disclosure.

Mandatory data breach reporting could soon be a reality for New Zealand business and firms, a cyber-security expert has warned.

“The risk of privacy breaches is not something limited to other countries, but one that is knocking on New Zealand’s door,” general manager of managed cyber-security firm Network Box Howard Nicholls told NZLawyer.

“A reform in New Zealand legislation will align us with OECD guidelines on privacy protection.”

These legislative changes have the potential to greatly affect firms’ clients’ relationships with their customers and how they tackle information privacy and security, Howard said.

While it’s not currently compulsory to report a data breach in New Zealand, Nicholls said that failing to report a breach could paint an organisation in a bad light with both the Commissioner and the public.

He believed two categories of notification will be established.

“Notification to the Commissioner would be compulsory for all data breaches classified as either tier one - material breaches, or tier two - serious breaches.  Affected individuals would only be notified in cases of a tier two, serious breach, where there a real risk of harm.”

Nicholls warned that a failure to notify the Commissioner of a breach would be a criminal offence, carrying a significant fine.  

New Zealand businesses providing information to a foreign entity will also fall under the proposed legislative reforms.  “New Zealand businesses will need to take steps to protect personal information before it leaves their control, ensuring the recipient has acceptable security standards in place,” Nicholls said.  “Organisations failing to do this may face liability.” 

Nicholls warns the organisational implications and long-term effects of a privacy breach are significant and can be difficult to recover from.