Office of the Privacy Commissioner | Greater penalties needed: Privacy Commissioner speaks to National Cyber Security Summit
The Privacy Commissioner, speaking at today’s National Cyber Security Summit in Wellington, has called for greater penalties for data breaches.
This comes on the back of two major research studies that indicate widespread support, including from businesses, for higher penalties for breaches.
Michael Webster, Privacy Commissioner says, “Most of the serious privacy breaches reported to my Office are happening in the digital world.
“I am concerned that businesses and other organisations rely on digital environments but aren’t well set up to run them safely. The degree of privacy maturity and cyber security practice is not as developed as I would have expected, which says to me that people aren’t always motivated to comply with legislation that protects data, like the Privacy Act.
“The maximum fine I can issue to an organisation for not adhering to a compliance order is $10,000.
“Compare that to Australia where their maximum fine for serious interference with privacy is $50 million and you begin to see the issue,” says Mr Webster.
New Zealand business leaders agree. Kordia released its New Zealand Business Cyber Security Report 2023 this week, which showed that one in five businesses have no plan to deal with a cyber-attack. This was despite half (55%) of businesses surveyed with 100 or more employees suffering a cyber-attack or incident in the last year.
The Kordia survey showed that business leaders are generally in favour of more legislation. 58% say an increase in legislation and regulatory guidance will improve cyber security, while almost three quarters think New Zealand should introduce harsher penalties for businesses that fail to protect personal data.
In a separate survey of individuals, Talbot Mills Research asked about fines, with 60 percent of those surveyed saying the current level of fines in the NZ Privacy Act were not high enough.
"We live in dynamic times with significant technological advancements, yet we’re operating on a Privacy Act that is based on policies agreed in 2013,” says Mr Webster.
"We need to ensure our Privacy Act keeps up with global privacy standards or risk that we may no longer be one of the safest places in the world to process personal information.
“That will have a real impact for businesses – not just the direct losses from a breach, but the loss of confidence of our trading partners who expect us to keep up on data protection,” he says.
The Commissioner recommends the following developments to the Privacy Act 2020:
- A civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves.
- A set of specific amendments to make the Privacy Act fit-for-purpose in the digital age.
- Stronger requirements for automated decision making and agencies demonstrating how they meet privacy requirements.