What Will it Cost if I Have a Data Breach?
The updated Privacy Act will make it mandatory for companies and organisations who have suffered “serious” data breaches to let affected parties and the NZ Privacy Commissioner know as soon as they find out about it – not months or years down the track, which has often been the case in the past.
The amended Privacy Act also allows the Privacy Commissioner to issue compliance notices to compel organisations and companies to comply with the law and fine them up to $10,000 for failing to do so.
Secondly, the new Privacy Act could allow for something we haven’t seen in New Zealand before being the “data breach class action”. Under the Act, an affected group, organised and perhaps funded by law firms, could take a case to the Human Rights Review Tribunal, the independent judicial body that hears claims relating to breaches of the Human Rights Act, the Privacy Act and the Health and Disability Commissioner Act.
The Tribunal regularly awards damages to the amount of tens of thousands of dollars for “emotional harm” and “humiliation, loss of dignity and injury to feelings” for individuals or groups of individuals. It will typically issue a “declaration of breach of privacy” if that has happened.
Under the declaration, the Privacy Act allows for the Human Rights Review Tribunal to award up to $350,000, paid by your company or organisation.
Finally, if credit card numbers and therefore card holder data is included in the disclosed breach, the card brands under the agreement you have with your bank can also fine you. We talk about what you probably agreed to in your merchant banking agreement in our post Where Does it Say I Have to be PCI Compliant? After all, new credit or debit cards will need to be issued and they will be looking at you to meet those costs, not mention cover any other losses the card schemes or banks may incur.