Consider whether to collect information – is it necessary to collect and hold personal information?
It is estimated that cybersecurity crimes costs New Zealand businesses in the regionof $250 million to $400 million a year.
For many New Zealand businesses, the importance and sheer enormity of cybersecurity risks has made its way into boardrooms and senior leadership teams. It requires a systematic risk management approach, along with increased general awareness.
Of course, IT remains a key part of any cyber risk management strategy – it creates firewalls, passwords and up to date virus-checkers that are all central to your business’ protection.
However, experts warn IT solutions alone are ineffective in guarding against cyber risks.
Generally, the current response is to apply basic risk management strategies to the cyber context with an aim of keeping New Zealand open for business.
Most Kiwi businesses are not yet fully aware of the legal consequences of poor cyber risk management. Experience tells us the cyber breach litigation of LinkedIn and Target may soon be a reality for New Zealand firms.
Recent commentary from the Privacy Commissioner suggests that the regulatory enforcement horizon may also heat up in the future. The Commissioner has indicated a desire for greater penalty and enforcement powers under the new privacy legislation regime.
It is important that all your employees are aware of what they need to do to help protect your systems and your clients’ sensitive information.
What should your business focus on?
Businesses should develop a data breach response plan, provide regular training to their employees, and actively consider or address supply chain risk and make suitable insurance arrangements.
As well as a suitable and tested crisis management plan, cyber risks insurance can be an important cyber resilience tool offering assistance to contain a crisis when it happens. It can provide protection against both first-party losses (such as business interruption, the cost of recovering data), and third-party losses (such as claims by others for breaches of contract or data loss due to the information breach).
Expertise and guidance is available to help businesses prepare systematic and practical cyber risk management plans, appropriate to the organisation’s size and complexity. By acting now, you can improve your business’ sustainability.
Eight steps to managing data risks and protecting personal information
Effectively managing data risks and protecting personal information during the stages of its lifecycle involves the following steps:
- Consider whether to collect information – is it necessary to collect and hold personal information?
- Privacy by design – how are personal information protection and handling procedures embedded in practices and policies?
- Assess the risks associated with collecting personal information for a new process or change to an existing process, and as ‘business as usual’.
- Take appropriate steps to protect personal information.
- Destroy or de-identify personal information when it is no longer required.
- Train staff to be vigilant with passwords, confidentiality of data and scam emails.
- Reduce the quantity of any marketable data held by the business, and how long it’s held for.
- Run cyber security checks and check terms in contracts with suppliers.
Make sure you are aware of privacy risks
It is important to balance the benefits of technologies like cloud computing with potential risks to privacy and security, particularly where information is stored offshore.
The Privacy Act 1993 applies whenever a business collects personal information about an individual, and sets out rules in relation to the collection, use, storage and disclosure of such information. The Privacy Act provides that an organisation that holds personal information must ensure that it is protected using reasonable security safeguards against loss, access, use, modification, unauthorised disclosure and misuse.
As well as the Privacy Act, certain types of information (in particular personal information about credit, health or telecommunications) are also protected under separate Privacy Codes of Practice. If you are collecting personal information that falls within these Privacy Codes of Practice, please be aware that you may need to have extra security and safeguards in place to protect that information.
Do you know what to do if there is a data breach?
With the increased threat of cybercrime, it is important to know now what you’ll need to do if the worst happens.
Firstly, if there is a security breach and personal information is leaked, you don’t have to tell anyone by law. However, you should consider whether notification is a good idea, with the goal of containing the breach and preventing further loss and damage.
The Office of the Privacy Commissioner provides a useful guide to help you work out an appropriate response.
New Zealand’s privacy law is also likely to undergo significant reforms in the near future; this may include mandatory notification of breaches to either the Privacy Commissioner, and/or to the individuals concerned.
How can you keep your staff aware of their responsibilities?
The massive 2015 cyberattack on US health insurance giant Anthem (78 million customer records exposed) came when an employee opened a "phishing" email - a pretend official communication but which some unprepared staff still fall victim to, giving hackers access to the system once opened.
It is certainly vital that you have in place your management plans to try to prevent or deal with any cyberattack.
However, it is important that all your employees are aware of what they need to do to help protect your systems and your clients’ sensitive information.
A great way to do this can be through simple and effective online training, which is up to date with current New Zealand law.
Richard Wells is a partner - corporate and commercial, MinterEllisonRuddWatts.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.