New Zealand’s privacy commissioner is recommending new civil penalties against companies of up to NZ$1 million (US$718,000) for a “serious” data breach to keep up with sterner penalties adopted by Australia and the European Union.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
“In light of international trends and current conditions, privacy enforcement sanctions no longer appear adequate to deal with serious breaches,” writes Privacy Commissioner John Edwards in a 27-page recommendation to the government. “Additional civil enforcement sanctions for serious breaches of privacy are needed.”
The country’s Privacy Act, which went into effect in 1993, contains possible breach-related criminal penalties of either $2,000 or $10,000. But those types of cases are intensive for the government to prosecute due to complex criminal process rules, and the fines are relatively low, Edwards writes.
New Zealand has been considering revising its Privacy Act for many years. Parliament has yet to pass legislation, but it is expected to act this year. The largest change would be a requirement that organizations report data breaches to regulators and the public (see Australia, New Zealand Still Mulling Data Breach Laws).
Edwards’ review includes five other recommendations covering data portability, compliance, anonymized data, a narrowing of defenses against accusations of a breach and new rules concerning already-public data, such as electoral rolls and land registers.
The country’s Law Commission published a lengthy review of the Privacy Act in 2011, but Edwards writes its suggested reforms aren’t keeping pace with rapidly evolving data-driven business models.
“This new environment is revealing or confirming gaps and pressure points that add to those identified or considered in previous reviews,” he writes.
Edwards’ recommendations would give his office the power to apply to the High Court for civil penalties of up to $100,000 on an individual and $1 million for a corporation for a very “serious” breach or repeated violations.
Under the draft legislation, “serious” breaches would be those that pose a risk of harm, such as loss, injury, significant humiliation or adverse effects on rights or benefits.
The proposal for larger fines reflects an expanding view worldwide that data breaches should come with more serious financial consequences, Edwards writes.
The European General Data Protection Regulation, which comes into force in May 2018, gives authorities the power to impose noncompliance penalties of 20 million Euros (US$21 million) or up to 4 percent of a company’s global revenue, whichever is greater (see Mandatory Breach Notifications: Europe’s Countdown Begins).
“The international context has also seen significant developments,” Edwards writes. “These should now be taken into account in preparing revisions to New Zealand’s privacy law.”
Five years ago, Australia amended its Privacy Act to increase civil penalties. The Office of the Australian Information Commissioner can apply to the Federal Court for fines up to $1.7 million for violations.
Governments are increasingly seeking to release large data sets to the public for external analysis and transparency. But those well-intended efforts have sometimes resulted in significant privacy lapses.
The dangers of data that has been inadequately anonymized are well known. Australia ran into trouble when its Department of Health released a 30-year sampling of pharmaceutical benefits claims Australians made under Medicare, the country’s public health service (see Australian Health Breach Exposes Danger of ‘Anonymous’ Data).
Researchers showed it was possible to decrypt codes that identified service providers. They were unsuccessful, however, in decrypting patient IDs.
As a result, last year the Australian government proposed a change to the Privacy Act that would make it an offense to de-anonymize data sets. Although well intended, it’s questionable in an age of anonymous public data dumps whether such a measure would prove an effective deterrent.
Edwards proposes that New Zealand’s Privacy Act should have a provision that requires entities holding personal data to take adequate steps to anonymize it before public release. Also, the public “should have a means of redress if they suffer harm as a result of being re-identified from supposedly anonymous data,” he writes.
Executive Editor, Security and Technology, ISMG
Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Executive Editor for Security and Technology for Information Security Media Group. He’s the creator of “The Ransomware Files” podcast, which tells the harrowing stories of IT pros who have fought back against ransomware, the greatest crime wave the internet has ever seen.
Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
Leadership & Executive Communication
Cloud Security
3rd Party Risk Management
3rd Party Risk Management
Blockchain & Cryptocurrency
Continue »
90 minutes · Premium OnDemand
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
New Zealand Privacy Chief Backs $1 Million Fines for Breaches
New Zealand Privacy Chief Backs $1 Million Fines for Breaches
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.