Mandatory data breach law - what this means for your business

Changes to the Privacy Act could force NZ businesses to notify people when they have a data breach.

Currently in NZ, if a cyber-attacker steals personal information from a company, the company doesn't legally have to alert those people who are affected or even tell the Privacy Commission. But thankfully, new privacy laws that were introduced into Parliament in March 2018 could make this a thing of the past.

One of the main changes to the Privacy Act, currently with the select committee, is a mandatory data breach notification which will force public and private sector agencies to notify affected individuals, and the Privacy Commissioner, if they experience a 'data breach which poses a risk of harm'. Failure to do so, could result in a fine of up to $10,000. This would encourage businesses to increase security around data storing and sharing, and potentially obtain insurance specific to cyber-security risks.

How do I prevent or minimise data breaches?
As a business, there are several things you can do to help you stay one step ahead of cyber- crime, such as:

• Learn how to identify and deal with cyber-attacks – Make sure you're up-to-date with the latest ways on how to identify, prevent, and minimise data breaches.

• Educate employees - Teach your staff the most secure ways of data sharing and storing, and how to identify and deal with data breaches.

• Evaluate your technology – Check if your software and hardware can adequately identify and deal with data breaches in real time.

• Analyse your data security - Ensure that IT and printer software and security is comprehensive, up-to-date and monitored on a 24/7 basis.

• Minimise the amount of personal information you hold – This can be a tough one, especially when it comes to marketing databases, but if you can, try and decrease the personal data your organisation stores.

• Encrypt and anonymise personal data – When you can, encrypt or anonymise personal information.