A Whanganui cyber-security consultant, Katja Feldtmann, has started a petition to Parliament calling for tougher penalties following the major ManageMyHealth data breach.
Feldtmann said the current penalties are insufficient.
“Because $10,000 for one organisation, if you make millions, the fact that it’s up to $10,000 and not proportionate, on annual turnover or things like that, it really just is not adequate,” she said.
This represents the maximum fine the Office of the Privacy Commissioner can impose for certain offenses.
“Privacy Commissioners have tried to get higher penalties and stricter regulation and have failed, so I thought maybe if we can get enough people to sign a petition, then it comes from the people of New Zealand, which our government should serve,” she added.
“Maybe that makes a difference.”
Feldtmann highlighted Australia’s increased penalties from late 2022. For serious breaches, courts can impose up to A$50 million per contravention or three times the benefit gained, or 30% of a business’s annual turnover, whichever is greatest.
Meanwhile, New Zealand lacks specific statutory penalties for privacy breaches.
The $10,000 fines can be issued to businesses or organisations for offences such as failing to comply with a compliance notice, misleading others to access personal information, destroying data after a retention request, or not notifying the Commissioner of a breach.
“They’re just not enough,” Feldtmann said.
“I think they’re just too low to be encouraging people to do better. They are hindering organisations from doing better because the penalty is cheaper than actually implementing some better security and privacy measures.”
“I always look at it, and then I look at what the rest of the world is doing. The European Union is the gold standard,” she said.