BusinessNZ softens stance on data breaches
The country's top business lobby group, BusinessNZ, has dropped its objection to the idea that companies should be punished if they fail to admit to data breaches.
Justice Minister Judith Collins said last month that organisations would have to inform the privacy commissioner if personal information they held was lost or stolen and would need to notify affected individuals in "serious cases".
Failure to do so would result in a fine of up to $10,000 under a change that will be included in an overhaul of the Privacy Act.
BusinessNZ chief executive Phil O'Reilly said in 2011 that criminal sanctions would be heavy-handed and unjustified, but he has softened that stance.
He remained unconvinced there was a need for a law change but said it was a pill that businesses might need to swallow if the country wanted to be a base for cloud computing and data storage services.
"The rest of the world is going this way," he said.
"The same sorts of laws are being enacted in the United States, Europe and Asia, and if New Zealand doesn't follow we could be seen as an 'outlier' and it could be more difficult for us to trade." The latest major international data breach was at US online auction site eBay.
The company admitted last month that hackers had obtained the personal data, including the email addresses and encrypted passwords, of all its 145 million users.
O'Reilly said any issues BusinessNZ would have with a law change would be in the details, such as defining what was a "serious" breach.
Another challenge would be working out when companies would need to disclose a loss or theft of data, given a company might suspect one had occurred but it might not always be "instantaneously clear" what had happened.
The worst thing would be a "false positive" like Fonterra's botulism scare and subsequent product recall last year, he said.
BusinessNZ would object if officials implemented the law change in an "impractical fashion", but O'Reilly did not believe that was likely.
A $10,000 fine could be significant for a small business, but it was not likely they would often have serious data breaches as they did not tend to hold lots of data, he said.
InternetNZ policy officer Dean Pemberton said it supported making it mandatory for organisations to report breaches but was concerned the bar for defining a "serious" breach might be set too high.
"If people's personally identifiable information has been lost, then I think there should be an obligation for them to be informed," he said.