Privacy Commissioner calls for significant fines and ‘real consequences’ for cybersecurity breaches

Source Domain: lawnews.nz

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Neil Sands
Michael Webster
Privacy Commissioner Michael Webster wants the power to impose multi-million-dollar fines in the wake of the Manage My Health (MMH) data breach, arguing his organisation needs teeth because New Zealand businesses are too complacent about cybersecurity.
In one of New Zealand’s biggest privacy breaches, privately-owned health portal MMH was hacked last month and the medical records of more than 120,000 users stolen. The hackers threatened to release the information on the dark web unless they received a $60,000 ransom.
Webster said the extortion attempt left affected users, who had entrusted MMH to hold their data securely, facing the “truly devastating” prospect of sensitive information, such as mental or sexual health records, being published online.
While MMH now says the issue has been “contained”, Webster has launched an urgent inquiry which is due to deliver interim findings by April 30, followed by a deeper dive into how digital service providers handle sensitive data.
He said this was needed because lax attitudes to cybersecurity are common among New Zealand businesses and the Privacy Act 2020 lacks the means to make them meet basic privacy requirements, falling well short of legislation in overseas jurisdictions.
“While there are some exceptions, generally we continue to see complacency across the board, with many agencies taking the approach that privacy breaches and cyber-security hacks will happen to somebody else, not to them,” Webster told LawNews.
“It is not until the privacy risk becomes an issue that organisations prioritise focus in these areas. Even then, once the glare of publicity shifts, focus on good privacy and data-protection basics tends to fall away.”

‘Real consequences’
Under the current Act, the Privacy Commission can investigate breaches, recommend remedies and impose fines of up to $10,000, but Webster wants it amended to ensure companies face genuine consequences when standards are not met.
He points to Australia’s privacy regime, where companies can be fined either $A50 million ($NZ58m) or 30% of annual turnover, whichever is greater.
Australia’s privacy regulator secured its first civil penalty in October last year, when the Federal Court ordered Australian Clinical Labs to pay $A5.8m ($NZ6.7m) over a 2022 data breach involving the records of 223,000 people.
Australia beefed up its privacy laws in 2022 after a string of data breaches and Webster said it was time for New Zealand to take similar action.
“If New Zealand wants to be serious about privacy, then organisations need to be held accountable for their failings in handling personal information. That includes introducing significant fines and real consequences,” he said.
“We see multi-million dollar penalties in Australia for organisations who fail to protect personal information, but in New Zealand there’s no civil penalty regime.”
The Privacy Act falls under the portfolio of Justice Minister Paul Goldsmith, who said he would consider making changes.
“The government made changes to the Privacy Act last year to meet European Union expectations, and will take advice on whether further strengthening is justified,” he said.

‘Hard questions’
Webster said the MMH breach has left New Zealanders questioning the security of their information in a world of increasing cyber-threats and his inquiry would examine what steps the portal took to safeguard users’ data.
The inquiry has the power to summon witnesses and require information from any relevant organisation or individual.
“As the independent privacy regulator, my office will be asking the hard questions, not only on behalf of those whose personal health information has been stolen, but for all New Zealanders who need to be able trust that our health information systems are safe and secure,” he said.
It will focus on MMH, but the terms of reference say: “The responses of government agencies not within the scope of the Inquiry, the National Cyber Security Centre or the Police to the cyber breach, including the handling of the ransom demand and criminal matters.”
Health Minister Simeon Brown has commissioned a separate review of his ministry’s response to the breach, which is due to be finalised on April 30.
The review will be carried out in cooperation with Chief Digital Office Paul James and the National Cyber Security Centre.
It will look at the incident’s causes, the adequacy of the response, how MMH’s systems integrated with Health NZ’s and recommend improvements in how health information is handled to avoid further breaches.
However, it specifically excludes “the all-of-government response to the incident” and will not make recommendations for reforms not specifically linked to security of health data.
With the terms of reference of both the Privacy Commission inquiry and Ministry of Health review excluding scrutiny of the overall government response to the security breach, it is unclear whether this issue will be examined.