BusinessNZ softens stance on data breaches

TOM PULLAR-STRECKER
Last updated 16:49 17/06/2014

Relevant offers

Industries

Parking app hopes to prevent crimes against women Fresh push to get more women into IT No visitor levy but other sweeteners possible - Steven Joyce Union pushes for tighter lift safety rules following death of Wellington man Brendon Scheib Building consents top $2 billion for the first time 'Perception' the problem as super changes bring ageism into sharper focus Chart of the day: Sharp drop in value of exports from Port Taranaki Wellington's Amora Hotel says it is closing for up to 12 months TVNZ outlines newsroom cuts to staff No fine but demolition company director pleads guilty over asbestos danger

The country's top business lobby group, BusinessNZ, has dropped its objection to the idea that companies should be punished if they fail to admit to data breaches.

Justice Minister Judith Collins said last month that organisations would have to inform the privacy commissioner if personal information they held was lost or stolen and would need to notify affected individuals in "serious cases".

Failure to do so would result in a fine of up to $10,000 under a change that will be included in an overhaul of the Privacy Act.

BusinessNZ chief executive Phil O'Reilly said in 2011 that criminal sanctions would be heavy-handed and unjustified, but he has softened that stance.

He remained unconvinced there was a need for a law change but said it was a pill that businesses might need to swallow if the country wanted to be a base for cloud computing and data storage services.

"The rest of the world is going this way," he said.

"The same sorts of laws are being enacted in the United States, Europe and Asia, and if New Zealand doesn't follow we could be seen as an 'outlier' and it could be more difficult for us to trade." The latest major international data breach was at US online auction site eBay.

The company admitted last month that hackers had obtained the personal data, including the email addresses and encrypted passwords, of all its 145 million users.

O'Reilly said any issues BusinessNZ would have with a law change would be in the details, such as defining what was a "serious" breach.

Another challenge would be working out when companies would need to disclose a loss or theft of data, given a company might suspect one had occurred but it might not always be "instantaneously clear" what had happened.

The worst thing would be a "false positive" like Fonterra's botulism scare and subsequent product recall last year, he said.

BusinessNZ would object if officials implemented the law change in an "impractical fashion", but O'Reilly did not believe that was likely.

A $10,000 fine could be significant for a small business, but it was not likely they would often have serious data breaches as they did not tend to hold lots of data, he said.

InternetNZ policy officer Dean Pemberton said it supported making it mandatory for organisations to report breaches but was concerned the bar for defining a "serious" breach might be set too high.

"If people's personally identifiable information has been lost, then I think there should be an obligation for them to be informed," he said.

Ad Feedback

- Stuff

Comments

Special offers

Featured Promotions

Sponsored Content