NZ Incident Response Bulletin January – 2021

Our Views:

This month’s theme is “The Privacy Act 2020 and the benefits of forensic expertise”.

In last month’s Bulletin, we explored the concerning rise in Data Leaks associated with Ransomware attacks.

The new Privacy Act 2020 (the Act) came into effect on 1 December 2020, introducing a range of reforms. It is now mandatory for organisations to determine whether they have a reasonable belief that a breach may cause serious harm, and if so, notify both the Office of the Privacy Commissioner and the individuals concerned. Notification is required as soon as it is reasonably practicable to do so, even if the full extent of the privacy breach is unknown.

In assessing notification requirements, an organisation needs to determine whether they have a reasonable belief that a privacy breach has occurred. While this may be obvious if a third party advises you that they received your data in error, it may be more difficult if you receive a ransom demand from a cyber-crime group threatening to publish the material on a Data Leak site.

By adopting a forensic approach, you can work through the incident response process, which involves the key steps of ‘Identification’, ‘Containment’ and ‘Eradication’. Given the potential of legal proceedings by both individuals and other stakeholders, a forensic approach ensures your evidence will withstand legal scrutiny. A brief overview of this process follows.

Identification

The identification phase includes, amongst other activities, preserving potential evidence, examining the data for Indicators of Compromise (IOC’s) and determining the extent of any breach. This phase also assists in determining your security response.

Containment

The containment phase involves limiting and preventing further damage from occurring. This includes determining whether the breach has caused, or is likely to cause, serious harm to individuals. According to section 113 of the Act, when an agency is assessing whether a privacy breach is likely to cause serious harm, and therefore be a notifiable privacy breach, the agency must consider the following:

  • any action taken by the agency to reduce the risk of harm following the breach
  • whether the personal information is sensitive in nature
  • the nature of the harm that may be caused to affected individuals
  • the person or body that has obtained or may obtain personal information as a result of the breach (if known)
  • whether the personal information is protected by a security measure
  • any other relevant matters.

A forensic examination can provide answers to most of the above requirements. For example, forensic tools and procedures can quickly and thoroughly determine the content of personal information, who may have obtained the information and whether the breached information was secured (e.g. encrypted).

Eradication

The eradication phase involves removing the actual risk and starting with the restoration of any affected systems.

A forensic approach can assist in determining the extent of compromise and any ongoing risks, so you can determine whether to rebuild systems, commission additional security measures, and perhaps most importantly, notify any affected individuals of the potential risk of serious harm.

Following a Data Breach Response plan, your next (technical) steps will likely include:

  • Configuring and enabling the notification process using a secure and measurable platform
  • Conducting Dark Web, Social Media and Credit Monitoring
  • Providing Forensic Incident Response reports to regulators and other affected stakeholders

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.