04/03/18 |

Why New Zealand Should Emulate Australia’s Mandatory Data Breach Laws

Cyber threats are expected to become more prevalent than ever in 2018; due to an increasingly connected world, the rise of the Internet of Things, and evolving business practices, among other factors. All evidence points to hackers getting smarter, and many security experts are predicting that we’re going to see even more cyber-attacks this year. But, what are we doing about it?

In February 2018, the Australian government’s Notifiable Data Breaches (NDB) scheme came into effect. The overall aim of which is to improve reporting of cyber-attacks, reassure individuals and businesses as to their data’s safety, and encourage Australian organisations to take greater responsibility with the information of their customers.

The new scheme applies to all organisations who were previously covered by the Australian Privacy Act (essentially businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients). It means that, should personal information held by an organisation be involved in an eligible breach that’s likely to result in serious harm, it must notify every individual involved.

Breach reporting laws in New Zealand
With cyber breach reporting now mandatory in Australia, and as a country that prides itself in the strong ties it has with its trans-Tasman neighbour, the question arises: should New Zealand follow suit and introduce similar laws locally?

According to Peter Bailey, General Manager at Aura Information Security, the answer is yes.

“As a company that witnesses all too often the negative impact of data breaches and cyber-attacks on business, Aura Information Security is very much in support of introduction of similar laws here in New Zealand; and view it as a key component of the maturing cyber security market.

The reality is, businesses need to be better prepared to not only defend against cyber-attacks, but to respond to them effectively; and in a way that has minimal impact on both business and customers. Mandatory Breach Reporting, in our view, will ensure our country as a whole is better equipped to deal with the growing number of online threats.”

The Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 states, ‘Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.’

Such data breach notification laws have been on the horizon of many developed countries for some time, with some states in the USA, for example, having had comparable laws since 2002.

Aura Information Security Principal VSO, Barry Brailey, puts it simply: “When someone else holds something of yours that is valuable, they have a duty to look after it. They also have a duty to let you know if something happens to it – and that’s really what notification laws codify.”

How would this work locally?

With many companies running trans-Tasman operations, the Australian law serves as a good template from which New Zealand legislators could work. The process is already, to some extent, underway, with the Law Commission Review locally having recommended a law of this type some seven years ago.

However, variations in laws that trans-Tasman companies must comply with will likely create some difficulty.

“There will almost certainly be variations if data breach notifications are introduced to New Zealand. But what Australia has done provides a very good template. It appears well balanced, although it doesn’t apply to small companies at this stage, and there are some elements that are potentially confusing and will need testing before the courts to see how they play out,” Brailey says.

An example is the provision of the law that requires notification of the compromise of information that could cause ‘serious harm’.

“There isn’t a definition of what constitutes ‘serious harm’, so it is currently open to interpretation,” Brailey points out. “As it stands, it seems something as innocuous as email addresses wouldn’t reach the threshold of ‘serious harm’, while birth dates, addresses and potentially credit card details, which can be used for identity theft and fraud, probably would.”

Instead, it’s suggested breach notification could apply to the compromise of all personal information to remove any uncertainty around what is legally required to be reported. And should New Zealand implement similar laws, it would be advisable that small companies are not exempt as they are in Australia.

“Most companies start out small, and if they are aware of a duty to advise the government of data breaches, they are likely to build information security into the operation of the organisation as a business discipline like any other – and that’s a good thing,” Brailey says.

One sensible aspect of the Australian legislation is that companies aren’t required to report each and every potential breach, so long as they have taken reasonable steps to secure the information of their customers. For example, if a laptop that holds sensitive information is misplaced, but that laptop is password protected and all data is encrypted, then this may not warrant a breach notification. In cases such as this, it’s necessary to ensure that reasonable mitigations are in place to be confident that data has not been breached, but this element of the legislation ensures that significant breaches are prioritised.

“This really goes to the heart of information security: it is practically impossible to ensure information is 100 per cent secure. But it is also practically possible to take sensible actions that put in place suitable protections to keep data generally safe, without enormous expense and effort,” says Brailey.

The upshot of the law is that most companies to which it applies will be more careful and establish appropriate measures to protect information. After all, while the government has indicated it doesn’t intend to enforce punitive measures, the law does provide for fines of up to $2.1 million.

Impact on businesses

According to a survey of 225 business IT decision makers conducted by Kordia in September 2017, more than half of respondents stated that they provide some form of cyber reporting to the Board or senior management. Seven in 10 stated their business would be prepared to notify customers if a breach occurred, and six in 10 would report a breach even if not legally required to do so. This suggests Kiwi businesses would be accepting and open to a mandatory reporting law should it be introduced.

However, some businesses might have concerns that reporting a breach puts them at risk of damaging their reputation to existing and potential clients, who may question the business’ security measures and trustworthiness.

Rather, it’s unlikely businesses will be in any danger of losing customers when they do report a breach; instead, their customers are likely to be pleased with proactivity and dealing with such an incident in a responsible manner.

So where to from here, for New Zealand? Data breach notification legislation has been in the review process for some time; a new government has taken office, and it should be straightforward to revisit the case for its introduction.

Overall, the basis for this legislation is positive. It offers a direct benefit to public because it would ensure that Kiwis are made aware if their information is compromised, and at the very simplest level – that is a right we should enjoy.

Get the latest Aura news
Stay up-to-date on Aura news and events – follow us on LinkedIn and Twitter.
Follow our research
View our team's work on our dedicated Aura research blog…
Search our archives
Looking for something specific? Search the Aura archives…