It's almost three years since the Privacy Act 2020 (Act) introduced a mandatory notification regime for privacy breaches that "have caused, or are likely to cause, serious harm". Unfortunately, there have also been plenty of opportunities to apply the new regime given the continuing rise in cyber incidents affecting New Zealand organisations.
Service providers - as a repository of multiple customers' data, and a potential gateway into their systems - are increasingly targets for cyber attacks, and there are specific challenges that arise where the privacy breach originates in a service provider's environment. This article explains some of these complexities, and three key lessons that we have learned over the last few years of advising on such breaches for both customers and service providers.
72 hours goes really fast, so it helps to have a plan
Under the Act, agencies must generally report notifiable privacy breaches "as soon as practicable" after becoming aware that a notifiable privacy breach has occurred. The Office of the Privacy Commissioner (OPC) has issued guidance stating that it expects to be notified within 72 hours.
Where the breach happens in a service provider's environment, service providers naturally want to assess the situation, and check their legal obligations, before letting their customers know what has happened. Where the affected party is a subcontractor to the service provider, the chain of communications becomes longer again, as each party repeats the assessment process.
This can create a timing problem for the customer, because:
- It's often the end-customer that is the relevant "agency" under the Act and carries the primary obligation to report notifiable privacy breaches. Service providers that are storing or processing data for a customer are often considered the customer's agent under the Act and the position around who is responsible for notifying a breach under the Act becomes murkier.
- The customer is deemed to know about a privacy breach (and the clock starts ticking on the 72 hour reporting timeframe) as soon as its service provider finds out about the issue. If it takes a couple of days for the news of a breach to reach the customer, then it can be a real struggle for the customer to assess the breach, decide how to respond, and prepare any required notifications within the 72 hour timeframe. This gets even more difficult where the breach happens over a weekend (which can often be the case).
While a good breach reporting clause in the relevant contract certainly helps (and we explain more about this below), we have found that parties are best prepared to deal with these issues quickly and meet the 72 hour timeframe if they have a clear incident response plan that can be executed immediately.
A well-crafted incident response plan should:
- Establish an 'incident response team' with members from senior management, and the customer's communications, technology/security, legal and finance teams
- Identify professional advisors that are already familiar with the organisation and that have been onboarded so that they can begin work immediately without needing to go through account creation processes
- Contain draft starting points for notifications and communications where relevant
- Include training for those people named in the incident response plan
- Be periodically tested and refreshed.
Agree up front who is responsible for assessing a privacy breach
In service agreements that involve the handling of personal information, it's important to include a clause that requires the service provider to promptly tell the customer about privacy breaches, and for the parties to cooperate to meet any notification requirements. That clause should include a definition of privacy breach that matches the definition in the Act, and ideally be specific about the timeframes for initial reporting, and how much the service provider should do to assess a breach before telling the customer.
Often, the customer will prefer to be told about any data breaches that affect personal information (regardless of the likelihood of serious harm). In this case, the customer should be told quickly, so that they have time to assess the breach, and report it if required. While this might mean that information about a breach gets provided incrementally as the service provider continues to investigate the issue, in our experience this is usually workable. The OPC already allows affected organisations to provide interim reports and update them as new information about a breach becomes available.
There can be situations, particularly for multi-tenanted SaaS services, where the service provider prefers to do the initial breach assessment, and only to report certain serious breaches to a customer. This might be to avoid advantaging one customer over others, or to account for reporting obligations that a service provider may have in other countries. What constitutes a 'notifiable breach' under overseas privacy laws (such as GDPR) can differ in small but significant ways from the definition under the Act. So while this can still work under the Act, it will be important to make sure that the relevant contract requires the service provider to assess the breach consistently with the Act's requirements, and in light of the customer's particular circumstances and affected data. Importantly, a customer could (in the right circumstances) be liable under the Act for a service provider's incorrect assessment of a privacy breach, so customers may seek to protect themselves from this risk via a suitable indemnity.
Be ready to change your plan in light of what others do
Privacy breaches affecting multi-tenanted services can quickly get complex because:
- A single service provider's breach may affect many customers, and sometimes in different countries. Depending on what customer data is stored, reporting obligations overseas, and individual risk tolerance, different customers may make different decisions about whether to report a breach
- Service providers, even if they are not the relevant "agency" for the purposes of the Act, may have data reporting obligations in other countries, or they may opt to report a breach direct to the OPC.
Once the 'cat is out of the bag', other affected organisations may decide to report a privacy breach (regardless of whether the statutory criteria are met), in order to tie off loose ends or to answer questions from customers, the OPC, or media outlets.
This means that even where you assess a privacy breach as being not notifiable, it's good practice to keep a record of how you reached that decision, and be ready to change your approach or to explain the breach and your assessment of it, should questions arise.
If you have any questions about how to prepare for or respond to a privacy breach, please contact a member of the Buddle Findlay privacy team.