2019 Litigation Forecast - Data protection – the perfect storm to justify more focus
In 2018, there were more than 2000 data breaches reported to CERT NZ – just the tip of a now mammoth iceberg affecting the personal and confidential information of millions of people and businesses globally.
The ever increasing volume and scope of cyber events reflects the new normal that is set to continue expanding its reach throughout 2019. Even in New Zealand, media reports on data breaches occur on a weekly basis, and cyberattacks continue to morph and evolve as criminals develop ever more sophisticated methods to circumvent cybersecurity defences in a never-ending game of cat and mouse.
One of the most significant data protection enactments of the digital era took effect when Europe’s gold standard General Data Protection Regulation (GDPR) came into force in May 2018. With extraterritorial reach and antitrust style sanctions, ripples are being felt globally as European data protection regulators flex their muscles. Facebook is facing sanctions of a maximum of USD$1.6b for breaches of the GDPR, and AggregateIQ (a Canadian based company) is being investigated by the UK’s Information Commissioner under the regulator’s extraterritorial powers.
In New Zealand, our lawmakers and regulators have been slower to react and respond to the need for stronger individual and organisational data protection laws in a world where geographical borders mean less, and goods and services are traded by New Zealanders and New Zealand businesses in every corner of the globe. Reforms to the Privacy Act are finally making progress, and should be passed into law in the first half of 2019, despite a four month delay to the Select Committee’s deadline to report back. While these proposed reforms aim to make businesses and the Government more accountable to consumers and give the Privacy Commissioner greater enforcement powers, they remain (during the Select Committee stage) comparatively weak. Nor do we see them seeking the extraterritorial reach asserted by Europe through the GDPR or other jurisdictions.
Best practice and good business compels increased and proactive cybersecurity risk management by organisations, irrespective of the status of New Zealand’s reforms. In 2019, we will monitor the convergence of GDPR, local law reform, a new National Cyber Security Strategy, CERT NZ’s growing visibility, and our commercial regulators increasing attentiveness to cybersecurity.
Added to this mix are the increasingly rigorous national and cross-border data protection compliance regimes, as well as the steady uptick in class action litigation (including in New Zealand [refer to page 13]) both of which will mean greater litigation risk for organisations. In this environment, organisations should commit to a ‘privacy/data protection by design’ framework that aligns New Zealand requirements with gold plated offshore standards, tackles cross-border compliance issues, and ensures sufficient resourcing to respond to a data breach or a cyberattack.
The current refresh of the Government’s Cyber Security Strategy and Action Plan (under development by the Government in conjunction with the National Cyber Policy Office in the Department of Prime Minister and Cabinet, and related organisations) will provide some impetus for building cyber resilience by businesses. The refresh project will analyse gaps and opportunities to improve New Zealand’s cybersecurity, including through revised institutional arrangements, collaboration with the private sector, efforts to address cybercrime, system-wide leadership of government information security, and international cyber cooperation and responses. We expect recommendations from the refresh project in 2019. The renewed focus from government agencies in 2019 should assist organisations to step-up their cyber resiliency efforts. While there remains a degree of consumer apathy over how much personal information is divulged in this digital age – particularly among younger consumers and those who enjoy the benefits of targeted marketing and service provision more than they dislike the sharing of their information – that apathy is not shared by the majority of New Zealanders.
As the data gatekeepers , organisations cannot afford to be complacent about cyber risk. In an increasingly digital society, individuals have a growing awareness of their data protection rights and of the duties owed to them by Government and businesses. We anticipate an increase in information privacy access requests and complaints to the Privacy Commissioner for infractions on individuals’ privacy rights. Organisations will need to be equipped and ready to react to consumer demands for access to, and protection of, personal information, as well as ready to respond to developing national and international compliance standards. The legal risks of inaction should not be overlooked.