“I am concerned that businesses and other organisations rely on digital environments but aren’t well set-up to run them safely. The degree of privacy maturity and cyber security practice is not as developed as I would have expected, which says to me that people aren’t always motivated to comply with legislation that protects data, like the Privacy Act,” Webster said.
“The maximum fine I can issue to an organisation for not adhering to a compliance order is $10,000.
“Compare that to Australia, where their maximum fine for serious interference with privacy is $50 million, and you begin to see the issue.”
A wave of cyber attacks and human blunders has seen sensitive data potentially over the past 24 months from incidents involving the Department of Justice, the former Waikato District Health Board, the Reserve Bank, Eftpos provider Smartpay, Nissan New Zealand, Lion New Zealand, Fisher & Paykel Appliances, Master Builders, Kings Plant Barn, the Nurses Organisation, Genopay and Gem provider Lattitude Financial, BusinessNZ, Health New Zealand Te Whatu Ora and many more.
Does the industry favour bigger fines?
“There are several considerations when discussing large financial penalties for organisations with lax cyber security measures,” Palo Alto Networks NZ managing director Misti Landtroop said when asked for her take on higher penalties.
“First, if we are to increase the maximum fine, where will this money go? For instance, will the Government reinvest it in cyber resiliency initiatives, or will it be returned to affected customers?
“Second, how effective is punishment in bringing about positive change? Penalising companies won’t enhance their defences against cyber attacks and diverts funds that may otherwise be invested in cyber security,” Landtroop said.
“The fear of a fine could also discourage organisations from being open, collaborative, and sharing information to improve cyber resiliency more broadly.”
Exploring more nuanced reward systems that recognise and incentivise cybersecurity best practices may prove more effective in cultivating a robust cyber defence culture, Landtroop said.
And Microsoft technology strategist Hilary Walton said: “Industry, government and technology leaders need to collaborate, work together and share information to equip organisations with the right security measures and know-how to respond to breaches effectively, as businesses can’t face the rising threat of cyber attacks alone.”
Does the Govt favour bigger fines?
The new Government has taken a multi-pronged approach to technology issues, with different aspects of the portfolio shared between Minister of Science, Innovation and Technology (and Attorney-General, GCSB Minister and Defence Minister and Minister for Digitising Government) Judith Collins, Media and Telecommunications Minister Melissa Lee, Commerce and Consumer Affairs Minister Andrew Bayly, whose brief includes a push for more cyber scam safeguards, and (stay with me) Paul Goldsmith, who, as Justice Minister, addresses data breach issues as the minister in charge of the Office of the Privacy Commissioner.
Does he favour bigger penalties for companies or organisations who are careless with their customers’ data, or fail to report a breach?
“There are no current plans to amend the offences and penalties in the Privacy Act (2020), but it is something we might consider in the future,” Goldsmith said.
While offences under the Privacy Act are limited to $10,000, Goldsmith noted: “If a resolution isn’t possible, the Privacy Commissioner may refer the complaint to the Human Rights Review Tribunal, which can award damages of up to $350,000.”
“The tribunal has the same powers as a District Court and can make binding decisions, award damages and order parties to pay costs.”
London calling
When submissions were called for what became the 2020 update to the Privacy Act, then-Privacy Commissioner John Edwards - the winding Human Rights Tribunal path notwithstanding - recommended “empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches - up to $100,000 in the case of an individual and up to $1m in the case of a body corporate”.
The Labour-led Government snubbed that, and a number of other modernisation proposals submitted by Edwards.
In 2021, Edwards relocated from Wellington to London after being headhunted to become the UK’s top privacy regulator - a position with teeth he had sought, and then some. He made headlines last year as he thumped TikTok with a £12.7m ($26.5m) fine for collecting data on children.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
