New Zealand's outdated privacy law leaves Kiwi consumers in the dark - expert

New Zealand’s outdated online privacy laws are leaving consumers in the dark and retailers unprepared for changing international standards, a leading cyber-security expert says.

Under New Zealand’s current laws, if a company is hacked or accidentally releases consumers’ personal data (such as personal details, medical history or credit card information) there is no legal requirement that they tell consumers affected.

This means that customers’ personal data, including credit card details, tax information and medical histories, could be being passed around online without their knowledge.

The managing director of Delta Insurance Ian Pollard, says New Zealand’s standards for data-security are falling behind the rest of the world, and this puts New Zealanders are at greater risk of having their personal information leaked.

“New Zealand ranks fourth in APEC (The Asia Pacific Economic Cooperation forum) for cyber attacks, we simply cannot afford to be complacent on this issue,” says Pollard.

This is also a problem for New Zealand retailers, as it leaves many of them lagging behind much of the developed world, and means they will be flat-footed in the face of changing international standards.

It could also mean they will experience problems if they wish to operate internationally, as New Zealand businesses operating internationally need to abide by the standards of the countries they are doing business in.

Pollard says the USA is currently one of the most advanced legally, with 47 out of 50 states already having mandatory breach notification laws in place, and there are moves towards putting federal laws in place to govern the entire country.

Australia has announced that mandatory notification legislation will be introduced later this year, changing the current status quo where it is recommended but not legally required.

New laws for the European Union are also on the way, scheduled for implementation in late 2015 to early 2016 thanks to updates to the EU Privacy and Human Rights Law.

Pollard says the new regulations will apply to all 27 member states and are expected to significantly change the privacy and data-protection landscape. They will introduce stricter requirements for reporting data breaches within 24 hours of detection with penalties of 1 million Euros or 2 per cent of the company’s global revenue for non-compliance.  

With increased legal standards, it puts retailers who are not up to spec with their data security at greater risk of fines or legal trouble. Many international standards can impose fines and penalties if a company is slow in notifying its customers that their data has been leaked.

Existing laws have served New Zealand well, Pollard says, but they are in need of an update to reflect the changing online landscape.

“The New Zealand Privacy Act was written in 1993 to tackle the problems of the time, but the modern cyber-security environment and proliferation of data have grown in ways that were difficult to predict,” he says.

Even if New Zealand standards are not updated, Pollard recommends that retailers put a voluntary notification policy in place to keep themselves at international standards, which will help to protect them legally, boost consumer confidence in their brand and minimise the scramble when New Zealand does update its laws.

Pollard says the government should be careful to avoid creating laws that are too onerous for New Zealand businesses, as the laws adopted by some nations might be too difficult to comply with for smaller New Zealand companies.

Pollard thinks a notification period of fourteen-days would be more suitable for New Zealand’s business environment, but that the notice period could vary with on the size of the company and the kind of data that was breached.

“Getting the right protections in place is vital, not just for consumers but for businesses as well; a legal battle over a breach can be extremely costly to business both in terms of legal costs and brand damage,” Pollard says.