Cyber Security
 | 3 min read

Why the privacy bill needs a serious shake up

By  Aura Information Security,
 25 May 2019

New Zealanders can be alarmingly lax when it comes to cyber security. Last year, Aura conducted research that revealed one third of IT decision makers in Kiwi businesses believe New Zealand is at less risk than the rest of the world when it comes to cybercrime.

The reality is, nothing could be further from the truth. New Zealand is a hot bed for cyber-attacks and many businesses, both big and small, are under prepared when it comes to dealing with the growing number of online threats.

Unfortunately, legislation designed to protect the way individuals’ data is held by Kiwi businesses isn’t working. While this has been acknowledged and our Privacy Bill is going through much-needed updates as a result, there is a fear amongst security professionals that the proposed consequences for privacy transgressions won’t be enough to deter indifference.

Currently, the proposed fines for transgressions – as requested by the Privacy Commissioner – are likely to be significantly lower when compared with other jurisdictions; or they may not be introduced at all.

While this light-handed approach is reflective of our often ‘friendly’ approach to bringing about change in New Zealand, ultimately, it’s not going to shift the dial as far as online security and data privacy is concerned.

Things have changed since 1993…

The current Privacy Act was last updated in 1993 – when many New Zealanders didn’t even know what the internet was. Malware, phishing attacks, and ransomware were a thing of the future. In 2019, these are so common that according to recent Aura research, more than a quarter of all New Zealand businesses state they have fallen victim to a cyber-attack, and the same amount expect to fall victim to further attacks.

The responsibility of NZ businesses

One positive provision outlined in the Privacy Bill update is for the Commissioner to make binding decisions around who has access to data and how much information a company can gather. A basic rule, therefore, is that if you don’t need personal information for a specific purpose, you should not be gathering it.

While collecting information with no apparent purpose therefore appears to be illegal, there are no prescribed fines for it. Furthermore, those companies which are found to have failed in their duty to protect customer information through a hack or negligence will have to notify people of the risk – although only if the breach has caused or is likely to cause ‘serious harm’.

The penalty, therefore, is likely to be limited to some reputational harm, whereas other jurisdictions such as Australia, are fining up to A$2m for organisations that fail to do enough to protect information.

What New Zealand Privacy Commissioner, John Edwards, has publicly asked for is the ability to impose financial penalties for directors and companies who flout their duty of care of data privacy, requesting fines of up to $100,000 for company officers and $1m for companies. These numbers may be less than what Australian legislation requires, but at the very least it gives the Commissioner more power and influence, and in my opinion, giving Edwards a bit of bite to support the bark is a positive thing.

It is worth noting, however, that the cost of compliance for companies most likely to commit Privacy Bill infringements can be too high to warrant making changes. While large organisations, such as banks, tend to have industry-specific regulations to follow, at medium and smaller-sized business level data regulation is often less effective.

Depending on the type of business and the type of customers they serve, there may or may not be regulations governing data protection that extend to the smaller business. In short, there isn’t any way to know for sure what measures a smaller business has for data protection. With cross-contamination being a big issue, we often advise that larger companies trading with smaller ones should assess the data security measures of their partners.

What next?

My hope is that most companies (and directors) don’t need the threat of a hefty fine to do the right thing. However, it’s highly likely the possibility of severe penalties would provide more of an incentive for those liable to take a better look at the policies and procedures they have in place to ensure the security of their customer data.

The new legislation is a positive step forward for New Zealand in this digital age. And while it’s likely to be fit for purpose for the next five or so years, given the rapid rate of change, there is no doubt that it will need further updates in the not too distant future.

This article was first published on