76 breaches reported in first four months of revamped Privacy Act
Barely four months since the Privacy Act 2020 came into force, early indications appear to suggest that mandatory breach reporting regulations are working.
The Office of the Privacy Commissioner has revealed that 76 ‘serious’ privacy breaches have been reported between 1 December 2020 and 31 March 2021. This is a 97% increase in privacy breach notifications in the first four months when compared to the previous six months.
It’s no surprise that New Zealand businesses and individuals are being cautious - organisations that fail to report a serious privacy breach could be fined up to $10,000.
“The law change means that if an organisation suffers a serious privacy breach, it should tell my Office as soon as practicable after becoming aware of the breach,” explains Privacy Commissioner John Edwards.
Of the breaches reported, 65% involved emotional harm, while 30% involved financial harm and 30% involved reputational harm.
The most common category of privacy breaches were email errors in which people send sensitive information to the wrong person (25%), unauthorised sharing of personal information (21%) and unauthorised access to information (17%), website or IT error (10%), and other (27%).
Additionally, 54% of those who reported breaches did so within five days, while 33% did so within two days. Furthermore, 65% of serious breaches had been notified to individuals by the time the same breach was reported to the Privacy Commissioner.
“There are narrow grounds for not notifying individuals of serious privacy breaches so we will be considering this issue further.”
Edwards notes that every industry - from retail and hospitality to the public sector and education - is affected by this legislation.
The top industries that have reported breaches so far include healthcare and social assistance; public administration and safety; professional, scientific and technical services; financial and insurance services; and ‘transport, postal and warehousing’.
“The law change means that the privacy breach information we receive will now be comprehensive and more accurate. We intend to publish this information as a regular anonymised summary to help all organisations know where the greatest privacy risks are.”
The Office of the Privacy Commissioner suggests that organisations should:
• Take extra care when including personal information in emails
• Double check attachments
• Implement a send delay
• Use BCC when sending emails to more than one recipient.
Organisations can report a breach that may cause - or has caused - serious harm to the Privacy Commissioner through the online NotifyUs reporting tool.