Pollard said most states in the USA had laws that mandated the reporting of data breaches.
He also said the European Union planned to implement similar laws late this year or early next year.
Mr Pollard said the upcoming EU laws would create stricter requirements for reporting data breaches within 24 hours of detection.
Penalties of more than $1m, or 2 per cent of the company's global revenue, would result for non-compliance.
Australia also planned to introduce legislation requiring mandatory breach notifications later this year, Mr Pollard said.
He said existing Kiwi laws needed an update.
"The New Zealand Privacy Act was written in 1993 to tackle the problems of the time, but the modern cyber-security environment and proliferation of data have grown in ways that were difficult to predict," he says.
Mr Pollard said a fourteen-day notification period would be most suitable for New Zealand's business environment.
He said lawmakers here would have to avoid making laws too onerous for local businesses.
"Getting the right protections in place is vital, not just for consumers but for businesses as well. A legal battle over a breach can be extremely costly to business both in terms of legal costs and brand damage," Mr Pollard said.
"For the time being, New Zealand falls into a group of countries in which breach reporting is not mandatory but is very strongly encouraged by regulatory guidelines," Buddle Findlay lawyers wrote in a paper published earlier this year.
Buddle Findlay said the Privacy Commissioner issued privacy breach guidelines.
"Compliance with the Guidelines is voluntary, but failing to report a breach could put organisations on the back foot with both the Commissioner and the public generally if the breach later came to light."