New Zealand privacy law does not - currently - require a business to notify its customers when their personal data has been compromised. This is likely to change.Late last week it was revealed that Uber had lost the personal information of 57 million users - a massive data breach - and had paid hackers USD100,000 hush money to keep the breach a secret. Notifying customers of a serious data breach of this kind is not currently mandatory in Australia, but it will be from February 2018. Australia (along with several other countries) is nonetheless investigating this breach, and Uber's response to it. And while a breach of this magnitude might not have ramifications under Australian privacy laws (yet), it does highlight how damaging a breach of this nature (and the way in which an organisation deals with that breach) can be to an organisation's reputation.
Mandatory reporting of serious data breaches to the authorities and affected individuals is being adopted by legislators in many countries to address the increasing threats to information security. Proponents of the mandatory reporting requirement suggest that individuals have a fundamental right to be informed about data breaches that may have a potential adverse effect on them and that, without legal compulsion, organisations have little incentive to notify individuals of data breaches (especially given the reputational effects such notification can have). On the flip side is the argument that the cost imposed on data controllers of mandatory notification obligations could be significant and prohibitive. Some also argue that the fear of reputational harm may continue to act as a disincentive to compliance.