Skip to main content
Article

Early action and increased risk mitigation

Cyber Risk Management
N/A

By Benjamin Di Marco | July 29, 2020

How your business can navigate New Zealand’s mandatory notification privacy law

From 1 December 2020, new laws will come into force in New Zealand imposing expanded privacy obligations on organisations and introducing a mandatory data breach disclosure regime.

Many businesses are concerned by the liability and reputational risks created by the new laws. While exposures are real, these can be greatly reduced through careful risk management and by adopting some key strategies.

What is happening?

The New Zealand Privacy Act 2020 repeals and replaces the country’s previous Privacy Act. The changes made to the new Act are designed to promote early action where an organisation experiences a suspected data breach event and increase the risk mitigation and management action taken by “agencies”. Almost every business or organisation that holds personal information is an 'agency' under the law. The legislation also provides enhanced enforcement and penalty powers to the Privacy Commissioner.

Complying with the Act – looking to the existing framework

The new Act draws on the key provision in New Zealand’s predecessor privacy legislation and incorporates the 12 existing information privacy principles, with relatively few amendments. These principles house the primary duties placed on agencies in relation to the collection, storage, protection and use of personal information. They also address third parties’ right to access and correct personal information and additional protection regarding unique identifiers such as bank client numbers, driver's licence and passport numbers. Organisations undertaking compliance projects for the Act should carefully examine the extent to which they have adequate processes to address the obligations housed within the 12 principles.

Globally, regulatory investigations into breaches of privacy principles and mandatory notification laws go hand in hand. The experience from other jurisdictions suggests that the mandatory notification obligations in this Act will function as the tip of the spear, providing the mechanism to compel organisations to publicly admit that a data security incident has occurred. This then allows the regulator to engage with the organisation on privacy compliance more generally.

Where the Privacy Commissioner examines a notifiable data breach, they are also likely to closely scrutinise whether an organisation has implemented steps that comply with the 12 principles. If it is identified that there has been a failure to comply this will likely have a significant impact on any privacy-related enforcement and penalty actions taken.

Mandatory notification – the need for strong internal process

The Act requires organisations to investigate a potential privacy breach and determine whether the incident has or will reasonably cause serious harm to affected individuals. If the “serious harm” criterion is met, the incident will be an eligible data breach and must be notified to both the regulator and impacted individuals.

The Act outlines a series of factors organisations must consider when undertaking a risk of harm assessment which includes (among other things) the sensitivity of the information compromised, the persons or bodies who have obtained the information, how the information could be misused, and security protections in place around any personal information at risk.

These obligations collectively require organisations to adopt and document a detailed investigation process which must be followed where suspected data privacy breach events occur. The process requires factual forensic analysis into how a data event occurred, an assessment of the identity and motives of malicious actors involved, and examination of how compromised personal information could be used to cause emotional, physical, psychological or financial harms to impacted individuals.

The crux of this process is that the organisation may be forced to justify and explain assessments they make under the Act and use this information to guide notification and communication processes adopted with the regulator and stakeholders. The investigation process must also be cross-functional and gather information from all employees involved in the incident given that, in any proceeding relating to notifiable privacy breaches, matters known by an employee will be treated as being known by the employer or agency.

Penalties, accountability and responsibility

The Act creates new criminal offences and covers a wide variety of agency behaviour such as actions that may mislead an agency to obtain access to personal information or the destruction of documents containing personal information. These provisions create additional financial risk for organisations and may also interact with pre-existing legislation requirements such as those that require an agency to appoint one or more individuals as a privacy officer.

Under the Act, a privacy officer has obligations to encourage compliance with the privacy principles, address requests made, work with the Privacy Commissioner when investigations are undertaken and ensure an agency has complied. The personal responsibilities imposed on a privacy officer can interplay with the civil penalty provisions in the Act that allow for penalties of up to $10,000 to be issued, a figure considerably higher than the fines available under the previous legislation.

Organisations examining the Act will need to carefully consider anyone who is appointed as a privacy officer as well as the resources and internal structures placed around that person. Globally, regulators have repeatedly stressed that an internal privacy officer acts as the gatekeeper for promoting good organisation wide behaviours. How an agency supports their privacy officer and the responsibilities and accountability processes adopted for privacy officers will likely be a growing focus for the regulator.

Notification and communication

An agency must notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless an exception applies. The “soon as practicable” limb will require organisations to quickly and proactively progress their investigation and notification process.

Notification must also be provided to the regulator. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, the agency will generally be required to give public notice of the privacy breach.

Support, risk management and insurance

To effectively navigate the Act, organisations will need to balance the new legal obligations created with the business and stakeholder dilemmas commonly created by malicious cyber-attacks. When an organisation responds to a cybersecurity event, they face a complex crisis environment. This will test the organisation’s entire risk management process and require management of organisational dilemmas crossing business interruption, triage, restoration, reputational risk and third party exposures.

Against this backdrop, organisations must carefully consider how prepared they are to manage data security incidents, and if they have developed a “resilience reflex”. This process can most effectively be done by testing incident response processes, performing cyber table scenarios and educating incident response leaders on the steps and challenges they would need to navigate during a major cyber incident.

Cyber insurance will also become a critical support to organisations in managing their obligations under the Act and responding to cyber intrusions effectively. One of the key advantages of the insurance wording, is that it connects the organisation with market-leading incident response vendors who have been pre-approved and vetted by the insurer. This allows organisations to quickly obtain support from key information forensic, legal, public relations and notification vendors who can help the organisation across the entire response and recovery process.

Complex cyber incidents will also typically create hundreds of thousands of dollars of expenses in the months immediately following an incident. Given many organisations are currently experiencing cash flow strains, cyber insurance’s ability to support underlying liquidity and reduce downtime, will also provide vital financial support to the business’ long-term interests and wellbeing.

Author

Cyber Specialist Australia and New Zealand - FINEX Australasia

Contact Us
Related content tags, list of links Article Cyber Risk Management New Zealand