Security breach still out of public reach
The Australian senate has given the go-ahead on a bill requiring companies to report security breaches, while the New Zealand equivalent remains in beta.
It was first proposed in the New Zealand Parliament in 2014, with punitive fines up to $10,000 as part of an overhaul of the Privacy Act.
The Australian law required breaches that cause ’’serious harm’’ to be reported to Australia’s Privacy Commissioner within 30 days. California first passed this legislation in 2001, the EU in 2009.
Privacy Commissioner John Edwards said New Zealand runs the risk of falling behind on mandatory breach notification, which was becoming the global
"Doing nothing is a perfectly valid option." Andy Prow RedShield Security CEO
norm. But Edwards said it was ‘‘not a magic bullet’’.
‘‘The breach notification is after the fact... Another element of the regulatory environment that we need is actually some ability for the commission to seek fines for failure to have adequate security.’’
He said fines for having inadequate security were included in a report he gave to Minister Adams just before Christmas and tabled in Parliament a few weeks ago.
The report included the ability for the commissioner to seek higher fines of up to $1 million for companies that made it too easy for employees to steal data, or companies that misused personal information, or mislead people about why they were collecting information. .
Red Alert chief executive Andy Prow’s company protects some of his clients from over 10,000 hacking attempts a day.
Prow said a major problem could cost $500,000 to fix or $100,000 to shield. He has seen ‘‘quite a few’’ companies come to him after getting breached, but they ended up doing nothing when it was too expensive to fix.
‘‘It is quite easy to get away with this in New Zealand, where our laws are not that punitive... Doing nothing is a perfectly valid option.’’