As cyberattacks continue apace, New Zealand IT leaders must come to grips with privacy laws that require their organisations to notify the Privacy Commission of data breaches in a timely manner.\nPrivacy Commissioner John Edwards says while the Privacy Act 2020 doesn\u2019t specifically state the time frame between the breach taking place and notification, his office has determined it should be within three days, unless there are extenuating circumstances.\n[ Keep up on the latest thought leadership, insights, how-to, and analysis on IT through CIO\u2019s newsletters. ]\n\u201cThere is still not much in the Privacy Act that can result in a prosecution. But one of them is failing to notify us of a serious breach as soon as reasonably practicable. So there has been a little bit of room for uncertainty there. The act doesn\u2019t specify a time limit. What we\u2019ve done is put our money down and said: \u2018If you\u2019re going to be longer than 72 hours, you better have a pretty good story about why that is, because that\u2019s our expectation,\u2019\u201d he says.\nOrganisations mustn\u2019t wait to notify Privacy Commissioner of breaches\nThe Privacy Commission has outlined three examples of where organisations were warned about possible breaches of the Privacy Act. In two of those cases, the commission took issue with the amount of time it took to notify of the breach; in one case it was three months and in another it was two months.\nOn the latter case, the commission noted: \u201cWe advised the organisation it should have reported the breach to our office at the same time as it tried to rectify the breach. It was unnecessary to wait until all steps had been taken to resolve the matter before notifying us.\u201d\nMandatory reporting, which can result in a fine of up to $10,000 if not adhered to, is one of just a couple of new obligations introduced under the new law. The second major change cited by Edwards is the information privacy principle which restricts the transfer of personal information overseas. He previously toldCIO New Zealand that this new principle won\u2019t affect cloud storage arrangements, but it might apply when organisations use third-party platforms that use the data for their own purposes, such as advertising.\n\u201cThe big shift is that we have more levers now than just complaints. I\u2019ve got a compliance and enforcement team. \u2026 Under the new act, I can actually go out and look for noncompliance and start issuing those noncompliance notices whether or not anybody\u2019s experienced harm,\u201d Edwards says.\nProsecution remains a multistep process, in that the Privacy Commissioner can\u2019t prosecute for ordinary breaches under the act without first issuing a compliance order. As Edwards explains: \u201cIf an organisation was really stupid in its IT management and as a direct provable result becomes a victim of a ransomware attack, I still wouldn\u2019t be able to prosecute. What I could do under the new act is serve a compliance notice saying: \u2018Here\u2019s what you need to fix\u2019, and if they didn\u2019t comply with that, then I could prosecute,\u2019\u201d he says.\nPrivacy Office geared up to enforce compliance: What CIOs should consider\nSince the new act came into law in December 2020, Edwards says his office has undergone a restructure to \u201cbe ready to make the most of the new legislative framework.\u201d That means taking a more \u201cproactive approach\u201d to reminding organisations of their responsibilities and sharing examples on its website. When sharing the warnings publicly, the organisations have not been named, as Edwards says the commission\u2019s \u201cstarting presumption for all that we do under the Privacy Act is that we\u2019re bound by secrecy.\u201d\nThe exception is when the commissioner believes that they need to publicise the data breach to inform consumers or promote compliance. \u201cBut we also want to create an environment where agencies are comfortable coming to us and are candid with us about what is going on. It won\u2019t be a default position to identify organisations, but we will do so where necessary to enforce the act and warn consumers,\u201d he says.\nAs for CIOs grappling with what changes they may need to make to ensure compliance, Edwards says understanding the reporting pathways in their organisations is a good start.\n\u201cThey should know who should be receiving breach notifications and assessing them and what they can learn from them. They should be looking at the ransomware attacks we are seeing and saying: \u2018are we ready for these, what would happen if they happened to us?\u2019. \u2018Do we do offsite backups, have we been patching, have we been reminding staff of the tactics that are used to create and exploit vulnerabilities?\u201d he says.\nConsumer data right is on its way\nEdwards had advocated for the establishment of a consumer data right (CDR) to be included in the Privacy Act, but this will be tackled separately. Following public consultation that attracted 59 submissions, Commerce and Consumer Affairs Minister David Clark has announced the government will look to introduce the relevant legislation in 2022.\nClark defines a CDR as \u201cmechanism that requires data holders, such as banks and electricity retailers, to safely and securely share data with third parties (like fintech companies) following consent from the customer. This means New Zealanders gain access to a wider range of products and services that better meet their needs.\u201d\nDevelopment of a regulatory framework to enable the CDR will be done with the Digital Trust Framework, announced earlier in 2021. The CDR will also be rolled out on a sector-by-sector basis and will be closely aligned with the Australian CDR model introduced in 2019.\nIn Australia, the banking and energy sectors were the first to be designated under the CDR legislation, and IT leaders in those sectors in New Zealand will be watching developments closely, as well the prepare for the new legislation here. Bank of New Zealand executive general manager for technology and operations Russell Jones previously told CIO New Zealand that it would \u201clean very heavily\u201d on the experience of its parent company National Australia Bank (NAB) in implementing a CDR locally.