By Joshua Gamrbrill
21 October 2020
From December 2020, New Zealand’s privacy laws will change. Businesses will have to report for the first time when data becomes inaccessible, as well as when it is accessed by unauthorised parties. This is a significant difference in practical interpretation of the Australian laws to date and will have implications for businesses that operate in either jurisdiction.
This means a ransomware attack, a computer system failure, or the sudden disappearance of a cloud service could require Australian businesses operating in New Zealand to report when data can't be accessed and where the loss of access causes harm.
Australian businesses that are subject to the Australian Privacy Principles must ensure personally identifiable information (PII) is protected and have procedures for notifying affected parties and the Office of the Australian Information Commissioner (OAIC) if there’s a data breach. Australian laws do not stop companies from reporting a loss of access but the OAIC’s biannual reporting puts the focus squarely on breaches and not loss of access.
Section 117 (1) of the New Zealand Privacy Bill defines a privacy breach as either “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or an action that prevents the agency from accessing the information on either a temporary or permanent basis.”
Ransomware and denial of service attacks can make data inaccessible – potentially forever. Even a system outage that limits customers from accessing PII could result in a business being obligated to notify the New Zealand Privacy Commissioner. These are not reportable to OAIC although ASX listed companies need to provide information to the Australian Securities and Investments Commission (ASIC) under ASX Listing Rule 3.1 if there’s an event that a reasonable person would expect to have a material impact on the value of a company.
There are thousands of ransomware attacks in Australia each year and recent data shows that denial of service attacks that block access to systems are increasing in number and magnitude. Accidental errors such as forgetting to review a software license agreement or hardware failure can result in a loss of data access.
The New Zealand legislation reminds us that serious harm can be caused by the loss of access to PII. Only time will tell if OAIC and the courts will consider loss of access to PII in due course.
Even if your company doesn’t conduct business in other overseas jurisdictions it’s a good idea to ensure your privacy controls and response plans consider the loss of access to PII as well as disclosure to unauthorised persons. Organisations handling PII of Australian residents should consider changes in their incident and reporting processes for loss of access to PII as well as ensuring safeguards to protect against loss of access and quick recovery of lost PII data.
Businesses need processes in place to minimise the risk of loss of data access. This isn’t just to meet a regulatory or compliance requirement. It makes good business sense.