The Office of the Privacy Commissioner (OPC) in New Zealand says it received 97% more privacy breach notifications in the four months after a new Privacy Act came into force on 1 December. The comparison is with the previous six months.
Under the new act, organisations and businesses which experience a privacy breach that has caused, or has potential to cause, serious harm must report it to the privacy commissioner.
Of such breaches reported, 65% involved emotional harm, 30% financial harm and 30% reputational damage.
“We’ve found that breaches can occur in any industry with reports from organisations in the financial and insurance services, the public sector, education and training, retail and accommodation, and even mining,” said privacy commissioner John Edwards.
“The law change means that the privacy breach information we receive will now be comprehensive and more accurate. We intend to publish this information as a regular anonymised summary to help all organisations know where the greatest privacy risks are.”
The most common category of privacy breaches were email errors (25%), with emails containing sensitive information going to the wrong person.
Unauthorised sharing of personal information accounted for 21% of reported breaches and unauthorised access to information 17%.
Edwards also said that in the first six months of new act being in force, the OPC has focused on educating organisations and businesses to help them understand their obligations.
Failure to report a serious privacy breach is a criminal offence which may result in a fine of up to NZ$10,000 (US$7,200, €6,000).