I’ve been fascinated by the volume and variety of digital harms since spending many years responding to individuals and business owners impacted by a wide range of online incidents, anything from data breaches and ransomware attacks to sextortion and scams. That formative experience has driven me to find ways to reduce the emotional and financial harms caused by cyber-enabled crime and social engineering.
Security professionals often struggle with the ‘double intangibility’ of security – the intangibility of risk and the intangibility of protection – to build a business case for proportional, risk focused security investment. Changing hearts and minds and motivating risk reduction activities that enhance privacy often requires a legislative catalyst and new compliance frameworks.
New Zealand’s new Privacy Act comes into play on 1st December 2020 and I believe there are ways that security professionals can leverage key aspects – especially mandatory breach notifications – to focus both individual and organisational efforts on securing personal information and preventing privacy harms.
The following slides were presented to ASIS NZ members on Wednesday 19th August 2020 where I used historic data from the FTC’s privacy enforcement regime and the first year of Australia’s Notifiable Data Breach scheme to identify actionable insights that can be applied in our day to day lives to build a stronger security culture:
Actionable insights from FTC and OAIC data:
- Focus on information handling – limit access, encrypt data at rest, dispose promptly (54%)
- Improve processes – monitor systems and data, patch systems, train staff (33%)
- Manage consumer expectations – ensure privacy notices are accurate and consent is explicit (13%)
- Understand your data holdings and secure PII
- Test data breach response plans
- Review contracts and document accountabilities for investigating breaches, assessing harm and notifying individuals
- Draft notifications and plan your comms strategy – don’t notify on a Friday!
- Support individuals to mitigate the impact of a data breach
Preparing for the Privacy Act presentation – slides from OPC summarise the keys points including appointing a Privacy Officer, preparing staff and using personal information safely.
Privacy Commissioner guidance
- Privacy Act 2020 – a fantastic set of resources direct from OPC includes elearning, blogs, podcasts and videos to bring you fully up to speed on all the changes
- Key changes in Privacy Act 2020
- Remedies under the 1993 Privacy Act (Word) – covers the full remit of OPC activities and notes the important point below that privacy harms cannot always be compensated for, prevention is the key!
More importantly, it has to be recognised that true compensation for privacy breaches may be an unattainable goal. It is extremely difficult to compensate a person meaningfully for a wrongful disclosure of personal information, for example. The person cannot be restored to his or her original position. Once information is disseminated, the subjects of it permanently lose the measure of control they once had over that information.
- Privacy and CCTV
- NZ CCTV guide including a checklist for SMEs (PDF)
- Facial recognition technology in NZ
Quantum of Damages
- Damages Awarded by the Human Rights Review Tribunal under Privacy Act 1993, s 88(1)(c) – damages for emotional harm/significant emotional harm since 2012
- Record damages awarded for cake photo breach
FTC enforcement actions
- FTC Privacy and Security Acts and Resources
- FTC consumer protection cases – since 1999
- Legally “reasonable” security requirements: A 10-year FTC retrospective
Office of the Australian Information Commissioner Notifiable Data Breaches scheme
- Notifiable Data Breaches scheme 12-month insights report – lessons learned in Year One
- Quarterly reports on incident trends
- Professor Solove’s Taxonomy of Privacy
- NIST Privacy Framework
- Privacy Maturity Assessment Framework (PMAF)
- The Privacy Opportunity Wheel – Gaining buy-in for a privacy programme