The main points to note:

• Mandatory notifications of privacy breaches – both to the affected parties and to the Privacy Commissioner;
• The Privacy Commissioner has the power to issue non-compliance penalties of up to NZ$10,000. It will be interesting to see if these rise in time. In comparison, the equivalent legislation in Australia has penalties of AUD$2.1m (although last year the Australian Government announced its intention to increase these) and in the EU, the GDPR fines reach the greater of €20m or 4% of the global annual revenue;
• If sharing information overseas New Zealand organisations must ensure that those in receipt can implement similar levels of privacy protection to those in New Zealand;
• The Act also applies to organisations without a physical presence in New Zealand who collect, process or store personal information of New Zealanders.

Please click here to learn more about the changes provided by the international law firm Wotton + Kearney.

Please talk to your aibGROUP Insurance Broker about Cyber Risk. Cyber policies is one means to mitgate the costs associated from a notification of privacy breaches. 

Overseas, mandatory reporting led to increased numbers of reported security breaches. Dependent on the amount of personal records held, and the scale of the data breach, the costs to notify can be significant.

Source: Vero Liability