Published on the 05/12/2018 | Written by Heather Wright
Notification thresholds, fatigue raise questions…
Last week’s breach of hotel company Marriott International’s Starwood division’s guest reservation database has again thrown the spotlight on data protection requirements for companies big and small, with a survey also showing the impact of data protection reporting regimes on Australian companies.
While Australia’s mandatory data breach notification scheme came into effect in February, a similar regime for New Zealand is still wending its way through the legislative process, with submissions on the proposed changes to the Privacy Bill currently being considered.
Allan Yeoman, partner at law firm Buddle Findlay, says New Zealand has fallen ‘quite far behind’ a lot of its trading partners, where breach notification has been compulsory for some time.
“If you have a breach affecting both Australian and NZ customers, there is potentially a different assessment about notification in each country.”
However, he says some of the draft wording around breach notification in the proposed Privacy Bill changes, if not changed, could create new issues for companies operating across both Australia and New Zealand.
“If you look at the way Australia has introduced it and the way we are proposing to introduce it there is a bit of a difference in how it would be applied in New Zealand,” he says.
“The unsatisfactory part at the moment, based on the draft wording, is that if you are a business with both an Australian and New Zealand presence and you have a breach that affects both Australian and New Zealand customers, there is potentially a different assessment and outcome as to whether you need to notify in New Zealand versus whether you need to notify in Australia.”
That difference comes down to the thresholds set. In Australia companies are required to decide whether the harm caused, or that could be caused, is serious and as such needs to be notified. In New Zealand the proposed threshold is lower, essentially any harm, or risk of harm, Yeoman says. It’s an issue that has been pointed out in numerous submissions on the proposed changes.
“It leads to this risk of ‘notification fatigue’. If you set the threshold too low a number of organisations are just going to take the safe approach and notify any breach even if it’s not at risk of causing harm to any individuals.
“As well as being a costly exercise and a compliance burden every time it happens, it is going to create a constant noise and could have the opposite to the desired effect, with individuals whose data has been compromised starting to drown out all the notification headlines because it’s just a standard thing.”
It could, he says, also lead to New Zealand being seen internationally as not having good privacy practices, given the number of notifications made.
An additional potential issue lies in the wording around notification time frames – in New Zealand’s case ‘as soon as practicable’ after becoming aware a breach has occurred. Both the EU’s GDPR and Australia have much clearer time frames, in the GDPR’s case, 72 hours.
“The danger of having the New Zealand wording – as soon as practical – is it risks leading to a rush to report to the commissioner as soon as you become aware of it, but before all the facts are known and potentially leading to providing misinformation,” Yeoman says.
“There is something to be said for having all that investigatory work done and knowing what it is you’re dealing with before having to go public with it and there’s a risk that current wording in our bill may not give people that opportunity.”
In Australia a survey by Aura Information Security – the security division of Kordia – found that 36 percent of Australian businesses surveyed in September had already had to report under the mandatory data breach notification scheme.
Of the 307 business IT decision makers from organisations with more than 20 employees, almost two-thirds said the data breach scheme had prompted them to reassess their cyber-security policies.
However, while respondents professed strong support for the scheme – with 71 percent saying they were in favour of a national mandatory data breach requirement, 17 percent admitted they would try to hide a breach from customers or clients.
The report also found that one in three believed Australia is more at risk of cyber-attacks than the rest of the world, with the majority not ‘very confident’ they could stop a breach.
A similar survey conducted by Aura in New Zealand found 33 percent of Kiwi executives felt New Zealand was at less risk of attack than other countries.
Big name breaches, such as Marriott and, in New Zealand Z Energy earlier this year garner the most attention. However, as Yeoman notes, the mandatory breach notification regime applies to small and medium businesses as well.
“The reality is that the vast majority of breaches are caused by human error – attaching a spreadsheet to the wrong email, leaving a laptop on the bus, things like that. They’re all data breaches in their own right and would need to be notified in the same way as a cyberattack. And they can happen to anyone. So the changes will be significant for the small and medium sized businesses.”