Cyber security breach shines spotlight on data protection

This article was current at the time of publication.

A recent large hack of customer data held by media organisation MediaWorks, where the company missed the Privacy Commission’s 72-hour notification deadline, underscores for practitioners the importance of securing client information and understanding Privacy Act obligations. 

One day it could be 400,000 personal records of voting histories on reality television show The Block. Tomorrow it could be your clients’ tax and confidential business records.

This and other hacks show that New Zealand businesses need to lift their game when it comes to cyber security. A recent Kordia cyber security report revealed that one in five New Zealand businesses have no plans to deal with a cyber attack.

This tallies with the findings of CPA Australia’s 2023 Small Business Survey, which revealed that New Zealand small businesses were the least likely among 11 countries surveyed to have reviewed their cyber security in the last 12 months.

Unsafe digital environments

NZ Privacy Commissioner Michael Webster underscored these findings in a recent speech to the National Cyber Security Summit in Wellington, maintaining he was “concerned that businesses and other organisations rely on digital environments but aren’t well set up to run them safely.

“The degree of privacy maturity and cyber security practice is not as developed as I would have expected,” he noted.

The Commission has asked the government to consider greater penalties for those who fail to act appropriately when customer data is compromised.

New Zealand’s maximum penalty of NZ$10,000 pales in comparison with the Australian situation, where serious interference with privacy will land offenders with fines of up A$50 million. 

Towards increasing regulation

Geordie Stewart, chief information security officer at Auckland-based cyber security consultancy NSP, thinks New Zealand will, like Europe under the GDPR (General Data Protection Regulation), become increasingly prescriptive on cyber security measures.

Stewart, who has recently returned to New Zealand after spending the bulk of his career in Europe, says the local privacy regime reminds him of Europe 10 to 15 years ago. 

“We’re softly tiptoeing around, trying not to upset anyone. But regulation will step up, and things will start to happen.”

Stewart says much of the conversation around minimum controls takes place in and with the cyber-insurance industry.

Privacy Act principles

As they stand, New Zealand’s Privacy Act’s Principle 5  states that organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.

However, the Act doesn’t mandate any specific minimum measures organisations must adopt. Instead, it recommends as “a strong starting point” ISO 27001, the International Standards Organisation Information Security Management Standard.

For smaller businesses, the relevant international standard ISO 27001 “is just overwhelming, many of the things it contains just don’t apply to a lot of businesses,” maintains Stewart, who says a more frequently cited standard is Australia’s Essential Eight.

This was developed by the Australian government’s Signals Directorate to help organisations protect themselves against various cyber threats as part of its Strategies to Mitigate Cybersecurity Incidents.

Stewart says the Essential Eight drew on research by the UK government a decade ago examining why so many small UK companies were falling victim to cyber attacks. It considers the needs and resources of smaller businesses.

Need some help?

CPA Australia has a wealth of resources for practitioners seeking to review or boost their cyber security. These include videos, webcasts podcasts, courses and online learning.