Mandatory Privacy Act Reporting
Are you ready for the new Privacy Act effective 1 December 2020? Most NZ organisations (known as agencies) will be subject to the Act including companies and government departments. The framework of the 1993 Privacy Act is retained (albeit updated to align with international best practice) but the most significant change is mandatory notification (Reporting) of notifiable privacy breaches.
What is a notifiable breach?
A notifiable breach is defined as a privacy breach where it is reasonable to believe has caused ‘serious harm’ to an ‘affected individual’, or is likely to do so.
Serious harm needs to be assessed by the agency in order to decide whether the breach is notifiable; agencies must consider:
Any action taken by the agency to reduce the risk of harm following the breach,
Whether the personal information is sensitive in nature,
The nature of the harm that may be caused to affected individuals,
The person or body that has obtained or may obtain personal information as a result of the breach (if known),
Whether the personal information is protected by a security measure, and
Any other relevant matters.
Affected individual is defined as an individual to who the information relates, whether they are inside or outside of New Zealand
What mandatory reporting is required?
It is an offence, without reasonable excuse, to fail to notify the Commissioner of a breach.
Agencies will be required to notify the NZ Privacy Commissioner and affected individuals of any privacy breach that it is reasonable to believe has caused serious harm to affected individuals, or is likely to do so.
A privacy breach includes unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, personal information; or an action that prevents an agency from accessing personal information either temporarily or permanently.
Agencies are required to notify the Commissioner and affective individuals as soon as practicable after becoming aware of the breach.
A specific notification form is to be used for notifying the Commissioner and another for notification to all affected individuals.
If an agency finds it is unable to notify affected individuals, they must provide public notice of the breach, unless doing so would be:
Prejudice to the security of defence of New Zealand
Prejudice the maintenance of the law by any public sector agency
Endanger the safety of a person or
Reveal a trade secret.
What does this mean to me?
You need to have processes and technologies in place to be able to:
Identify and confirm what data has been breached
Identify all ‘affected individuals’ in your environment
Be able to identify the extent of a breach such that accurate and effective reporting can be actioned can be achieved by incident monitoring and detection reporting solutions.
When do I need to act?
Too late is too late, the sooner you have visibility, the quicker and more effectively you can respond to any breach.
If you still think “this isn’t likely to happen to me”, or “my data isn’t going to be targeted” remember this:
Attackers do not care who you are of what you do, only if they can exploit your data and information.
It’s common that breaches aren’t noticed for some time, by design,
No matter how secure you are, with enough time and effort, you can be breached.
Over 80% of breaches involve (often unknowing) staff and circumvent security strategies in place, particularly if they are focused from a technical perspective only.
Techtonics is able to assist you identify breached data and ‘affected individuals’ in your environment.
Being prepared for regulatory breach reporting is a governing board responsibility and an organisational management deliverable.
Scaled solutions supporting efficient breach reporting should now be part of an agencies cyber defence strategy.
Elements of an effective cybersecurity protection strategy that you can adopt today
Data Leak Protection
Protect against human error data leaks with Data Leak Protection (DLP)
Discover and classify sensitive information, apply protection policies, monitor and remediate and accelerate compliance.
Many data breaches are accidental, DLP prevents accidental breaches of data, as part of your protection strategy.
Intrusion Detection and Response
Detect, report on and respond effectively to cybersecurity breaches.
Respond efficiently and report on breaches with technology that stops attackers in their tracks.
Improve respond time and gain visibility to the attack timeline and details needed to report to NZ Cert, your board, the privacy commissioner, etc.
Understand your vulnerabilities to actively report on and mitigate risk
Scan for and understand your infrastructure vulnerabilities as they change, with meaningful prioritisation allowing you to effectively mitigate against your top weaknesses.
Provide visibility and demonstrate results to your board
Phishing Sim & Security Awareness
Build security awareness into your organisation and staff
Your staff remain effective attack vectors for bad actors to exploit, commonly prompting them to open and clicking links in emails.
Understand and prevent breaches with simulations and regular short, effective online training modules.
Organisational Risk Assessment
Identify key information assets and a protection plan to keep them safe
Organisational risk assessments allow you to understand and protect your critical information assets.
Our methodology is globally recognised and maps to the NIST and therefore NZISM cybersecurity frameworks.
Actively secure your applications and web accessible services
Scan, understand and reduce the attack surface of your internet facing services, even as the threat landscape evolves constantly.
Protect your internet facing websites and services with next generation WAF technologies.
Cyber Resiliency Review
Measure your cyber maturity to levels to prioritise areas in need
Understand your maturity levels across each of the 10 business domains and 26 process models, through a facilitated survey.
Your organisations maturity levels are graphically presented to be easily digested across your organisation.
Identify and classify information across your organisation
Integrated analysis, processing and reporting framework that enables full text and meta-data searching across your content, whether it’s stored in OpenText products of SharePoint Online. Content crawler will help you effectively manage your content.
En Case Content Security
Enterprise Content Security to protect your critical digital assets
Uses machine learning to baseline how staff use your information and then alert on and respond to unusual behaviour, such as large download or deletions.
Easy to deployment and use, effective in reducing breach risk.