Data, dangers and duties
significant for local managers and directors relate to proactive notification of data breaches, receiving compliance notices and sending private data overseas. It also introduces new criminal offences which seesmanagers and directors not just personally liable but also face fines of up to $10,000 each.
Until now, if you’ve had a big data breach then you were a mug if you didn’t disclose that breach to the Privacy Commissioner. From now on you are legally obligated to do this when you have a breach that could cause serious harm for the individuals concerned.
Fail to do that and you could get hit with a $10,000 fine and look like an idiot.
Until now the Privacy
Commissioner has been a bit toothless (beyond name and shame) in terms of requiring companies to put things rightwhen it comes to data breaches.
From now on the commissioner can issue mandatory compliance notices tomake companies remedy a breach. And if they don’t comply then officers of the company can face criminal charges.
Lastly, until now it has been a bit of a foggy question as to whether New Zealand companies and organisationswho send personal data overseas need to ensure their foreign owners or partners need to comply with the New Zealand Privacy Act.
The new act removes that ambiguity. In short, yes it does apply. This brings with it serious implications for the likes of New Zealand banks or insurance companies with Australian owners who send data overseas, or forwebs giants like Facebook and Google.
And if your organisation tries to delete personal information in the process of investigation or request, then again you face fines of up to $10,000.
All in all, it’s a significant reset of the playing fieldwhen it comes to data and director responsibilities around breaches. Breaches that are on the increase in the post-covid-19 environment, according to the latest Verizon Business Data Breach Report.
A little like the health and safety changes five years ago, directors can’t afford to be asleep at the wheel.
Speaking personally as a company director, there are three questions I’m asking of companies.
The first: does everyone in this joint know when and who to tell if there is a data breach.
Without central assessment and clear channels for investigation and notification, companies run the real risk of violating the mandatory reporting regime to the Privacy Commissioner and facing criminal prosecution.
The second is ensuring that data privacy (and more broadly cyber security protection and related incidents) are reported through to the board. A range of useful dashboards have evolved for health and safety reporting over the last five years. It’s time for same thing to happen around data breaches.
The third is reviewing existing insurance cover to see if their policies cover the new act. An act which now has a $350,000 per person class action clause.
All in all, a lot for boards to get across. Mind you, if the White Island experience is anything to go by, it’s better to ask these sorts of questions before an incident than afterwards.
Mike ‘‘MOD’’ O’donnell is a professional director, writer and board facilitator.
It’s a significant reset of the playing field when it comes to data and director responsibilities around breaches.