Key Takeaways
- The Manage My Health cyber hack has led to calls for a review of punishments for companies that breach privacy in New Zealand.
- The country’s current penalty regime is seen as inadequate, with a maximum fine of $10,000 for set circumstances and up to $350,000 through the Human Rights Review Tribunal.
- Privacy lawyers and experts are advocating for a more robust penalty regime, similar to Australia’s, which includes fines of up to A$50 million for serious breaches.
- The lack of a proper fining regime is seen as a contributing factor to complacency around cyber security, with many companies not taking adequate measures to protect personal information.
- The Manage My Health hack has affected around 127,000 patients and has been described as a major breach, with hackers demanding a US$60,000 ransom.
Introduction to the Manage My Health Cyber Hack
The recent cyber hack of Manage My Health, New Zealand’s largest online patient portal, has highlighted the need for a review of punishments for companies that breach privacy. The hack, which resulted in the theft of hundreds of thousands of sensitive files, has led to calls for a more robust penalty regime to deter companies from being complacent about cyber security. The Deputy Privacy Commissioner, Liz MacPherson, has expressed frustration at the widespread complacency around cyber security, stating that the lack of a penalty regime may be contributing to this attitude.
Current Penalty Regime in New Zealand
The current penalty regime in New Zealand is seen as inadequate, with a maximum fine of $10,000 for set circumstances, such as failing to change behavior after being issued with a compliance notice or destroying personal information after it has been requested. The Human Rights Review Tribunal can also issue fines of up to $350,000, but this process is seen as lengthy and not always effective. In comparison, Australia’s penalty regime is much more robust, with fines of up to A$50 million for serious breaches. Privacy lawyers and experts are advocating for a similar regime in New Zealand, arguing that the current penalties are not sufficient to deter companies from breaching privacy.
Calls for a Review of Punishments
Privacy lawyer Katrine Evans, who chairs the Privacy Foundation, has called for a review of punishments for companies that breach privacy. She argues that the current regime is not sufficient to deter companies from being complacent about cyber security and that a more robust penalty regime is needed. Evans points to the example of Australia, which has a much more robust penalty regime, and argues that New Zealand should follow suit. Another privacy expert, Kathryn Dalziel, has also called for a review of punishments, stating that the current regime is not a deterrent and that more needs to be done to protect personal information.
Government Response
The government has responded to the calls for a review of punishments, with Duty Minister Casey Costello stating that any changes to the Privacy Act would require the input of various agencies and Cabinet consideration. While the government has acknowledged the importance of protecting personal information, it has stopped short of committing to a review of punishments. Costello has argued that the current cyber security breach is a criminal activity and that the government needs to take a considered approach to addressing the issue.
Conclusion and Recommendations
In conclusion, the Manage My Health cyber hack has highlighted the need for a review of punishments for companies that breach privacy in New Zealand. The current penalty regime is seen as inadequate, and more needs to be done to deter companies from being complacent about cyber security. Privacy lawyers and experts are advocating for a more robust penalty regime, similar to Australia’s, and the government should consider their calls. By introducing a more robust penalty regime, New Zealand can better protect personal information and prevent future cyber hacks. The government should take a proactive approach to addressing the issue and work towards introducing a more effective penalty regime that will deter companies from breaching privacy.