Revised Privacy Act – Data Breach Laws

Data Breach - Computer Troubleshooters1 Dec 2020

Most kiwi businesses and organisations will be aware that New Zealand’s new Data Breach laws became effective 1st December 2020.

The purpose of this article is to educate our clients and others about what you as a business or organisation need to do.

Why a new Data Breach Law?
Strictly speaking it's not really a new law, its more of an amendment to reinforce the effectiveness and to give it some bite by way of expensive penalties for offenders.
Why Prevent a Breach?
To quote from the Privacy Commissioner’s website. "Privacy breaches are a reality for organisations that hold people's personal information. It’s vital for your organisation's reputation and its relationship with the customers/clients whose information you hold, that you do everything you can to prevent a privacy breach from happening."
With the Internet quickly becoming the lifeline for Kiwi businesses, organisations and non-profits, cyber security has never been more relevant.
Who does the new law apply to?
In public meetings and on the New Zealand Legislation website, the privacy commissioner has said "it applies to all agencies. ‘Any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector’.

What do you need to do?
The act breaks this down into three areas.
Preventing Data Breaches.
Responding to a privacy breach.
Reporting a privacy breach.

Preventing a Privacy Breach

All businesses and organisations that we see in the course of our work, hold information about other people, businesses and organisations. This may be as simple as names and email addresses or as complex as detailed health or accounting records. Any "leakage" of this information would be considered a data/privacy breach under the act. Businesses are urged to take Privacy Breaches seriously.
1 - Physically Secure Information:
Portable devices like Laptops, Tablets, Smartphones, USB sticks and Portable hard drives are a real concern here, especially if left unattended in public places or visible in parked cars. A system needs to be put into place to secure all devices (not just portable devices)
2 - Prevent Employee Browsing: This is a term to describe employees inappropriately accessing customer information. You need to have clear policies and consequences about employee browsing in your "code of conduct".
3 - Safely Dispose of Information and Documents This not only applies to shredding of documents no longer needed, but also to the disposal of electronic equipment that may have contained data.
4 - Preventing data breaches through email This is a big one. Depending on the sources you may read, 80-95% of all successful Business Email Compromises (BEC) start with an inbound email. You need to be careful with outbound mails, check that the right attachment is attached and that the CC and BCC fields don't include addresses that shouldn't see the information contained in the email or attachment.
5 - What to do if you have sent an email to the wrong email address Act quickly. Email the recipient and ask them not to open the email and delete. Treat an email breach as a privacy breach. If serious you must notify the Privacy Commissioner. Link to the NotifyUs Online Tool.

Responding to a Privacy Breach

You will need to disable the breached system, change computer access codes, try and get the information back, and notify the commissioner of the breach. Further and more detailed information can be found at the Privacy Commission Website

Reporting a Privacy Breach

The Privacy Commission has built an online system called NotifyUs specifically for purpose.

How can we help you?

In the past we as the whole IT industry has typically sold cyber security services using fear tactics. Businesses and Organisations are now more mature. One only needs to look at the news each day to see the reality of Cybercrime. The need to be more secure is obvious.

Computer Troubleshooters can provide the full gambit of services and solutions to reduce your business's risk of having a data breach, that not only damages your reputation, but can also cost a lot of money in penalties.

For Example:
Email Solutions: Advanced Threat Protection and Filtering, Microsoft 365 and G-Suite Backup, Secure Email Archiving etc.
Endpoint Security: Managed Antimalware and Patching services. User rights and permissions management. End user testing. Secure DNS.