Photo: RNZ / Finn Blackwell
Privacy lawyers are calling for a review into what punishments companies can face for breaching privacy in the wake of the massive Manage My Health cyber hack.
The country's largest online patient portal faces a new Friday deadline for a US$60,000 ransom after hundreds of thousands of sensitive files were taken.
Manage My Health said hackers came in through its front door, and that it dropped the ball.
Chief executive Vino Ramayah has not ruled out standing down from his post.
In its latest public update, Manage My Health said it would start notifying affected users by the end of Thursday.
About 127,000 patients were affected.
Speaking to RNZ this week, the Deputy Privacy Commissioner said the Privacy Commisioner's Office was irked by widespread complacency around cyber security.
"The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency from, and this is across the board ... a continuation of the 'it'll happen to somebody else, not to me' type approach," Liz MacPherson said.
"And you have to ask the question, is the lack of a penalty regime part of that?"
For a former Assistant Privacy Commissioner, it was.
Privacy lawyer Katrine Evans Photo: Supplied
Privacy lawyer Katrine Evans chairs the Privacy Foundation, which had a mission of protecting privacy rights through research and education.
"The Privacy Commissioner's Office has been calling for a long time, not just the current Privacy Commissioner, but previous Privacy Commissioners have called for a proper fining regime, a civil penalty regime, so not a criminal prosecution, but an ability to fine companies that breach privacy when they should have been taking much greater care," she said.
"And so far that hasn't happened, it's now 2026 and it's about time we had those in place."
MacPherson pointed to the penalties on offer in Australia which were significantly increased in late 2022.
For serious breach, a court could impose a maximum A$50 million, or three times the benefit derived from what happened, or 30 percent of a business' annual turnover.
That was for each contravention.
In New Zealand there was no express penalty for a privacy breach.
Deputy Privacy Commissioner Liz MacPherson. Photo: RNZ / Dom Thomas
The Privacy Commission was able to issue fines of $10,000, but these were for set circumstances:
- A business or organisation that failed to change its behaviour after being issued with a compliance notice
- Misleading a business or organisation to access someone else's personal information
- A business or organisation destroying personal information after it had been requested to avoid handing it over
- Failing to notify the Privacy Commissioner of a breach.
The Human Rights Review Tribunal, if a case went there, was able to issue a fine of up to $350,000.
"It's a pretty long haul to get all the way through there to get compensation," Evans said.
"A lot of things settle quite early so that's one option where you've been harmed, you ask for compensation, but that's not to do with punishing."
Evans said some courts could make awards for damages to punish a business or organisation through exemplary damages.
"The Privacy Foundation definitely thinks it's high time," she said when asked if there should be a review of the punishments available.
"Where are the incentives for agencies to take privacy seriously, to invest in good systems, to support their staff, to do the right thing, to provide great training?
"If you compare that with something like health and safety, where there are really significant fines available for, say, workplace accidents, privacy is looking pretty weak."
Evans said having a better regime of fines would mean "everybody has to take care".
Privacy barrister Kathryn Dalziel was another who said there should be a review.
"My view is that the penalties regime is not a deterrent," she said.
"So there needs to be a review of those penalties and the amounts that can be awarded but also what they can be awarded for, and for serious privacy breaches which should never have happened, these should be matters that the Privacy Commissioner's got the ability to impose penalties.
"I can understand the sense of frustration when you don't have a power to impose a penalty that will act as a deterrent ... I just don't think we have the deterrent factor in New Zealand."
Privacy barrister Kathryn Dalziel. Photo: Pool / Iain McGregor / The Press
Dalziel said she was surprised New Zealand did not follow Australia when it massively boosted its penalties.
Commenting on the Manage My Health hack, she called it a major breach.
"And the reason I say that is that any attack on a health system or health database causes fear for people."
Her advice for worried patients was to let Manage My Health know, and contact the Privacy Commissioner to discuss their rights.
"This is something New Zealanders hold dear, the sensitivity of our health information and so any attack on a health system of this significance, particularly given the clear criminal intent behind the attack, says to me there are New Zealanders out there that are concerned, fearful, worried and anxious about their health information."
Government responds
Through a spokesperson, Duty Minister Casey Costello said she was "not going to make up policy on the fly".
"Any changes to the Privacy Act would require the input of various agencies and Cabinet consideration," she said.
"Of course the government wants to ensure that people's private information is protected.
"However, it important to recognise that the current cyber security breach is criminal activity," Costello said.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
