NZ Incident Response Bulletin January – 2020

Our Views:

A recap of two of the most important changes relevant to Forensic and Cyber Security matters announced during 2019 and how to prepare for them.

A new Privacy Act in 2020

Changes to existing privacy law are due in 2020. Key highlights for all businesses to be aware of include:

  • Requirements to report privacy breaches: If organisations have a privacy breach that poses a risk of serious harm, it must notify the Commissioner and the people affected (unless an exception applies).
  • Compliance notices: The Commissioner will be able to issue compliance notices to require an organisation to do something, or stop doing something, to comply with the Privacy Act.
  • Decisions on access requests: The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
  • Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards.
  • New criminal offences: It will be an offence to mislead an organisation in a way that affects someone else’s personal information, and to destroy documents containing personal information if a request has been made for it. The proposed penalty is a fine of up to $10,000. It will be an offence to fail to notify the Commissioner of a serious privacy breach, or to fail to comply with an enforceable compliance notice.
  • Extraterritoriality: An overseas agency is to be treated as “carrying on business in New Zealand” even if it does not have a physical place of business here – if it charges any monetary payment for goods or services or makes a profit from its business here.

The new bill passed its second reading in 2019, and March 2020 was proposed as a start date for these changes however it may be closer to July 2020 before the bill is passed.

Preparing for these changes

When the new privacy bill passes, there will be a six-month implementation period to prepare. There are steps you can take in advance of these changes to ensure your business is ready.

  1. Ensure you are aware of and understand all changes proposed and which may impact your business. The Ministry of Justice website currently has detailed information about all changes proposed.
  2. Review your current privacy policies for compatibility with all changes.
  3. Develop compliant policies that are ready for use by mid-2020. This should include a mandatory breach reporting policy that can be used from March 2020.
  4. Ensure your Incident Response Team are fully aware of new data breach requirements and have processes in place for identifying, protecting, defending, responding and recovering from a breach.
    Points to consider: How will we determine serious harm? Who will manage notification and communication requirements? Do we have protocols in place for containment?
  5. Review all data storage and handling policies and service provider agreements for compliance with the new cross-border protections.

Points to consider: Do we store, process or send any data overseas? Do we have processes in place to adequately protect this data and its end use?

  • Have your privacy officer develop training and communication materials to communicate all changes to all employees. If you don’t have a privacy officer, now would be a good time to think about delegating that responsibility to someone in your organisation or consider engaging an external privacy expert to fulfil that function.

New FMA Cyber Resilience requirements

The Financial Markets Authority (FMA) released a report in July 2019 reviewing the cyber-resilience of New Zealand financial services which included a series of cyber recommendations. These recommendations included the introduction of a cyber resilience framework for all financial service providers. While this report is targeted at entities regulated by the FMA, it is also useful to other participants in financial markets and businesses generally as it discusses the nature and prevalence of cyber-risk within them.

Changes include the FMA requiring its reporting entities to:

  • Include a cybercrime risk assessment within existing AML/CFT Risk Assessment or current Risk Management processes.
  • Ensure Cyber Incident Response and Recovery Plans are in place.
  • Ensure Cyber Protection and Detection measures are in place.
  • Ensure Cyber Risk Analysis and Management is governed and in line with the Institute of Directors Cyber Risk Practice Guide.
  • Make use of the cyber resources provided by CERT NZ and New Zealand’s National Cyber Security Centre (NCSC).
  • Aim to use a “recognised cybersecurity framework to assist with planning, prioritising and managing” cybercrime risks such as  The National Institute of Standards and Technology (NIST).

According to the FMA “All licensed firms should take treat the risk of cyber-attacks as real, and plan accordingly”.

Tools to Assist

We suggest familiarising yourself with current cyber threats in the New Zealand landscape via the Threat Alerts in this monthly bulletin (including those reported in the premium edition), the NCSC cyber threat reports and the CERT NZ reports.

In its report, the FMA recommended using the NIST Cybersecurity Framework to develop or improve a Cybersecurity programme. The framework allows a business to assess their current level of cyber maturity, determine goals and plan and prioritise an improvement programme.

The NIST website also provides many additional free resources to assist in developing Incident Response and Recovery Plans and procedures.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.