New Zealand privacy law does not – currently – require a business to notify its customers when their personal data has been compromised.  This is likely to change.

Late last week it was revealed that Uber had lost the personal information of 57 million users – a massive data breach - and had paid hackers USD100,000 hush money to keep the breach a secret.  Notifying customers of a serious data breach of this kind is not currently mandatory in Australia, but it will be from February 2018.  Australia (along with several other countries) is nonetheless investigating this breach, and Uber’s response to it.  And while a breach of this magnitude might not have ramifications under Australian privacy laws (yet), it does highlight how damaging a breach of this nature (and the way in which an organisation deals with that breach) can be to an organisation’s reputation.  

Mandatory reporting of serious data breaches to the authorities and affected individuals is being adopted by legislators in many countries to address the increasing threats to information security.  Proponents of the mandatory reporting requirement suggest that individuals have a fundamental right to be informed about data breaches that may have a potential adverse effect on them and that, without legal compulsion, organisations have little incentive to notify individuals of data breaches (especially given the reputational effects such notification can have).  On the flip side is the argument that the cost imposed on data controllers of mandatory notification obligations could be significant and prohibitive.  Some also argue that the fear of reputational harm may continue to act as a disincentive to compliance.

In New Zealand, the Privacy Act governs the way in which personal information is collected and used, and it does not require mandatory reporting of serious data breaches - yet.  Instead, the Office of the Privacy Commissioner suggests that it is a good idea to be open about a data breach and the steps that you are taking to fix it.  In deciding whether to notify affected individuals, the Office of the Privacy Commissioner recommends that if the affected individuals “could suffer harm and need to act to protect themselves, for instance by changing their passwords or monitoring their bank accounts for malicious activity, then you should probably tell them about the breach and steps you are taking to mitigate it.  If there’s no likely consequences from the breach, or if telling people would cause more worry and harm than not telling them, it may be acceptable not to tell affected individuals”.

Reform of the Privacy Act has been on the cards for some time, with initial recommendations for change being made by the New Zealand Law Commission in 2011.  The need for mandatory reporting of serious privacy breaches (i.e. where there is a real risk of serious harm as a result of a data breach) to authorities and affected individuals is one (among many) of the urgent reforms outlined by the Privacy Commissioner, John Edwards, in his recent briefing to the incoming Minister of Justice.

The way in which personal data is used has changed and increased dramatically since the Privacy Act came into effect (in 1993), and this area of the law – like so many others – needs to catch up with societal changes.  So, the next time our personal information is lost, Uber may be obliged to tell us about it.