The recent comments of the Privacy Commissioner highlight a serious issue for companies in 2023. The Commissioner reported a 41% increase in “serious harm” privacy breach notifications in the first half of the current financial year compared to the first half of the previous financial year.
High profile incidents arising from human error or technical fault include Archives New Zealand and University of Otago, while others originated from ransomware attacks (Mercury IT /Te Whatu Ora Health New Zealand and Hamilton Skin Cancer Centre).
The introduction of the Privacy Act in 2020 set out requirements for companies to notify breaches to the Office of the Privacy Commissioner “as soon as practicable”, where the breach gives reason to believe “serious harm” could be caused. The Commissioner’s statement issued late last year invited organisations to this year “make your new year’s resolution to be across your privacy obligations” and laid out some expectations about what this might entail. These included:
- putting people and privacy ahead of reputation or risk, and
- reporting notifiable breaches within 72 hours of identification.
While this is useful guidance on the Commissioner’s expectations, the statutory requirement is context-dependent. For any given set of circumstances, an organisation that has suffered a data breach may have more, or less, time to notify than 72 hours.
Threats to data are increasing and evolving at a rapid pace, with a rise in malicious activity and cyberattacks. These threats require specific consideration and targeted solutions. However this important issue is not making it to the top of agendas, with NZ directors reporting a decline in the discussion of cyber risk and a decline of confidence in their organisations’ ability to respond to breaches.
Strengthening cyber security is not a “nice to have”, it’s a must do. The recommended approach is that organisations treat all ransomware attacks as having the potential to cause serious harm, and so, any instance of malicious activity involving ransomware will initially meet the threshold for notification.
Companies may face financial consequences if they don’t notify a breach as soon as practicable. A company’s actions in relation to the breach may be deemed an interference with an individual’s privacy. Additionally, companies could face further liability for the breach itself if they have not adequately protected data.
Please get in touch with one of our experts if you would like to discuss your cyber security and privacy obligations in more detail.
Thank you to Sophie Dixon for her assistance in the preparation of this Brief Counsel.