2021 Litigation Forecast - Cyber and privacy risk: Back in the spotlight
The Zoom meeting walls and chat rooms, COVID tracer apps, and work from home requirements of 2020 have elevated technology and privacy issues to a whole new level of consciousness across our business and private lives.
Coupled with New Zealand’s now in force Privacy Act 2020, and ongoing global trends towards harsh penalties for those in breach of data protection laws, 2021 looks set for New Zealand to finally join the march towards greater privacy and cyber risk management and enforcement.
We have observed for some years now the exponential increase in data being collected, held and processed across New Zealand organisations. The 2020 technology boom from working from home has only exacerbated this growth, both for personal information and valuable commercial data. To cope with volume and market demands, businesses have transitioned, at pace, to digital platforms, e-commerce solutions, and digital storage of information. The pace of this transition is not slowing.
It is hardly surprising then that cyberattacks and data breaches are now regular news. CERT NZ reported 3,102 “cyber security incidents” during the six months to the end of June 2020; an increase of 42% on the same period last year. In April 2020 alone (when New Zealand was in lockdown), 820 incident reports were received. This was the highest monthly number of incident reports since the agency was established in 2017. In Quarter 3 2020, CERT received a total of 2,610 incident reports, a 33% increase from Quarter 2.
With the Privacy Act 2020 in play, we expect to see a tangible increase over the next 12-24 months in privacy enforcement actions in New Zealand. This is particularly as a result of mandatory breach reporting and other enforcement mechanisms designed to give more power to New Zealand’s regulator, the Office of the Privacy Commissioner. The reforms increase litigation risk for New Zealand agencies and any agency that carries on business in New Zealand and will impact on the way that organisations conducting business in New Zealand manage privacy issues and data security
If overseas trends are replicated in New Zealand, the Office of the Privacy Commissioner will have its work cut out for it.
In Australia, the Office of the Australian Information Commissioner (OAIC) reported an 11% increase in notifications under their notifiable data breach scheme from 2018-2019 (950) to 2019-2020 (1,050). The OAIC also launched its first civil penalty action against Facebook this year, for the This is Your Digital Life app.
In the UK, the Information Commissioner’s Office (ICO) handed down two of the largest fines relating to a data breach in UK history. On 16 October 2020, the ICO fined British Airways GBP20 million (NZD25.8 million). Two weeks later, on 30 October 2020, the ICO fined Marriott GBP18.4 million (NZD23.7 million).
The British Airways fine represents the largest fine imposed to date for a breach of the General Data Protection Legislation (GDPR). However, both the British Airways and Marriott fines represent a reduction of nearly 90% and 81% respectively of the proposed fines. This demonstrates the ICO is willing to reduce fines where organisations demonstrate effective mitigations and remedial actions. Regulators in other jurisdictions have not taken such a friendly approach. In Germany, H&M recently received a EUR35 million fine for excessive monitoring of employees in its service centre in Nuremburg.
The penalties under our Privacy Act are substantially smaller than other jurisdictions (the new financial sanctions max out at NZD10,000). This makes it likely we will see a reasonable level of cooperation between New Zealand regulators on the approach to privacy and cyber security to meet public expectations of data protection laws.
We noted last year that the Commerce Commission was starting to turn its focus to privacy breaches as a consumer protection issue. At the first International Association of Privacy Professionals Australia and New Zealand summit in Sydney (in 2019) the Privacy Commissioner acknowledged that here, data protection laws alone may not be enough to combat the potential harms. He has queried whether we need more agile consumer protection mechanisms to enable privacy regulators to work together with consumer safety regulators. There is certainly scope for the Commerce Commission to flex its enforcement powers to ensure that consumers’ personal information is not used in misleading or deceptive ways under the Fair Trading Act
Additionally, the Privacy Commissioner may look to the Financial Markets Authority (FMA) for support on enforcement and ensuring that agencies regulated by the FMA have sound privacy practices to protect both organisations and consumers of financial products. We have seen some activity in this area with the FMA issuing Section 25 Notices in the last 12 months to gather information on privacy and cyber security practices
Australia has already taken steps in this direction with the Australian Securities and Investment Commission Action (ASIC) commencing proceedings in the Federal Court of Australia against RI Advice Group Pty Ltd (RI), an Australian Financial Services (AFS) licence holder, for failing to have adequate cyber security systems. ASIC alleges that Frontier Financial Group, an authorised representative of RI, was subject to a “brute force” attack whereby a malicious user successfully gained remote access to Frontier’s server and spent more than 155 hours logged into the server, which contained sensitive client information including identification documents. ASIC alleges that RI failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cybersecurity and cyber resilience.
ASIC is seeking declarations that RI contravened provisions of the Corporations Act, along with compliance orders that RI implements systems that are reasonably appropriate to adequately manage risk in respect of cybersecurity and cyber resilience and provide a report from a suitably qualified independent expert confirming that such systems have been implemented.
The Office of the Privacy Commissioner has entered 2021 (and beyond) with a renewed focus, and increased resources to match. We expect there will be a dual education/litigation focus at first (with emphasis on education in particular during 2021), giving agencies some time to bed in the requirements of the Privacy Act.
The Office of the Privacy Commissioner will enter 2021 (and beyond) with a renewed focus, and some increased resources to match.
However, we anticipate that the Privacy Commissioner will be keen to send a strong message on compliance and look for appropriate cases to enforce the Act’s new standards. We also envisage that the Commissioner will work with other, heavier, regulators to ensure agencies that conduct business in New Zealand meet their privacy obligations and are both cyber-secure and resilient.