Most New Zealanders want bigger fines for data links than the maximum $10,000 penalty available to our top privacy watchdog today, a survey has found.

But cybersecurity industry leaders, and a key Cabinet minister, are not on the same page as the survey respondents.

Research firm Talbot Mills surveyed a representative group of 1059 NZ adults during the first two weeks of February and found:

60 per cent of respondents say the current maximum fine of $10,000 for cyber breaches is insufficient.

When asked what a reasonable fine would be, 40 per cent said upwards of $100,000 and 23 per cent said over $500,000.

71 per cent said they would consider taking their business elsewhere after a cyber breach.

A wave of cyberattacks and human blunders has seen sensitive data potentially over the past 24 months from incidents involving the Department of Justice, the former Waikato District Health Board, the Reserve Bank, Eftpos provider Smartpay, Nissan NZ, Lion NZ, Fisher & Paykel Appliances, Master Builders, Kings Plant Barn the Nurses Association, BusinessNZ, Health New Zealand (Te Whatu Ora) and many more.

Does the industry favour bigger financial penalties?

“There are several considerations when discussing large financial penalties for organisations with lax cybersecurity measures,” Palo Alto Networks NZ managing director Misti Landtroop said when asked for her take on higher penalties.

“First, if we are to increase the maximum fine, where will this money go? For instance, will the Government reinvest it in cyber resiliency initiatives, or will it be returned to affected customers?

“Second, how effective is punishment in bringing about positive change? Penalising companies won’t enhance their defences against cyberattacks and diverts funds that may otherwise be invested in cyber security,” Landtroop said.

“The fear of a fine could also discourage organisations from being open, collaborative, and sharing information to improve cyber resiliency more broadly.”

Exploring more nuanced reward systems that recognise and incentivise cybersecurity best practices may prove more effective in cultivating a robust cyber defence culture, Landtroop said.

And Microsoft technology strategist Hilary Walton said, “Industry, government and technology leaders need to collaborate, work together and share information to equip organisations with the right security measures and know-how to respond to breaches effectively, as businesses can’t face the rising threat of cyberattacks alone.”

Does the Government favour higher fines? Minister responds

The new Government has taken a multi-pronged approach to technology issues, with different aspects of the portfolio shared between Minister of Science, Innovation and Technology (and Attorney-General, GCSB Minister and Defence Minister and Minister for Digitising Government) Judith Collins, Media and Telecommunications Minister Melissa Lee, Commerce and Consumer Affairs Minister Andrew Bayly, whose brief includes a push for more cyber scam safeguards, and (stay with me) Paul Goldsmith, who, as Justice Minister, addresses data breach issues as the minister in charge of the Office of the Privacy Commissioner.

“There are no current plans to amend the offences and penalties in the Privacy Act (2020), but it is something we might consider in the future,” Goldsmith said.

While offences under the Privacy Act are limited to $10,000, Goldsmith noted, “a resolution is possible. The Privacy Commissioner may refer the complaint to the Human Rights Review Tribunal, which can award damages of up to $350,000″.

“The tribunal has the same powers as a District Court and can make binding decisions, award damages and order parties to pay costs.”

When submissions were called for what became the 2020 update to the Privacy Act, then-Privacy Commissioner John Edwards - the winding Human Rights Tribunal path notwithstanding - recommended “empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches - up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate”.

The Labour-led government snubbed that, and a number of other modernisation proposals submitted by Edwards.

In 2021, Edwards relocated from Wellington to London after being head-hunted to become the UK’s top privacy regulator - a position with teeth he had sought, and then some. He made headlines last year as he thumped TikTok with a £12.7m ($26.5m) fine for collecting data on children.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.