Written by: IT Alliance
There has been an unprecedented amount of hacking and ransomware attacks in Wairarapa/Wellington, New Zealand in 2020. As a result, in January 2021, there is going to be a change with what we need to do if our data has been hacked.
New Government legislation is coming in to play around how every business operating in New Zealand needs to report data loss. Let’s take a look at why you need to know about this and how you can minimise your risk of being hacked and/or fined.
Avoid a fine of up to $350k!
Privacy breach reporting was originally scheduled to change early this year, but with the impact of COVID, the legislation changes were delayed until 25th June 2020 when Parliament passed the Privacy Act 2020 which came into effect on 1st December 2020.
It is really important to be informed about the core principles of this Act are. Why? The Act now allows the Human Rights Review Tribunal to award up to a whopping $350,000 to EACH member of a class action! That is a lot of dough…once you add it up!
What are the core principles?
There are 13 core principles you need to be aware of which set out how you should collect, hold and use personal information which we’ll do our best to sum up below:
Collecting personal information
- Only collect personal information if it is necessary.
- Collect information directly from the person.
- Tell people what you’re doing, like why you’re collecting their data and who can access it.
- Make sure you collect information lawfully and fairly.
Holding personal information
- Store personal information securely, i.e. a locked cabinet for physical documents and using password protection for electronic files.
- Give people access to their personal information.
- Let people correct their information if they think it’s wrong.
Using and disclosing personal information
- Make sure personal information is accurate and up-to-date.
- Don’t keep personal information for longer than necessary.
- Only use information for the purpose you got it and if you need to dispose of it, do so securely, i.e. use shredders, wipe hard drives, delete backups.
- Only disclose personal information if you have a good reason.
- Only disclose personal information overseas if the receiving organisation is subject to the Privacy Act or similar laws.
- Only use unique identifiers when necessary, i.e. driver license number.
You can see a full list of your responsibilities on the Privacy Commissioner website here.
We spoke with Alex Teh, CEO of cybersecurity specialists Chillisoft, who had the following advice for our readers:
“The NZ privacy bill 2020 comes into law this month. This new bill provides the Information Commissioner additional legal rights to do things like issue a mandatory disclosure notice to any companies that have had a data breach and it resulted in the loss of personally identifiable information (PII). If that data breach and loss of PII information result in the potential harm to the public, he then has the right to issue a notice that will result in a fine of $10,000. More importantly, the organisation that lost the data will need to notify all their customers whose PII information they lost, potentially causing massive reputational damage that could result in loss of business.”
“When looking at how other countries like the UK and Europe have dealt with their privacy bills, those markets have fully embraced the use of encryption to negate the need to disclose. If a company can prove that the stolen data was encrypted, they are not required to disclose. The use of data loss prevention (DLP) product like ESET Safetica is also needed for discovery. Most IT managers, CIO’s and CISO’s actually struggle when asked where their PII information resides on their network. DLP product provides good auditing and reporting functionality that can be used to track where the PII information is. Once there is an understanding of where the data is, the company can then classify that data and take action like block, take a copy or report.”
Tools to help!
If you do have a breach and don’t know if you need to report it or not, don’t worry! There’s a tool called NotifyUs which helps you understand when you should and shouldn’t report your data breach.