Crossing the streams: How security professionals can leverage the NZ Privacy Act 2020 to build a stronger security culture

Home » About Ubiquitous Security » Crossing the streams: How security professionals can leverage the NZ Privacy Act 2020 to build a stronger security culture

I’ve been fascinated by the volume and variety of digital harms since spending many years responding to individuals and business owners impacted by a wide range of online incidents, anything from data breaches and ransomware attacks to sextortion and scams. That formative experience has driven me to find ways to reduce the emotional and financial harms caused by cyber-enabled crime and social engineering.

Security professionals often struggle with the ‘double intangibility’ of security – the intangibility of risk and the intangibility of protection – to build a business case for proportional, risk focused security investment. Changing hearts and minds and motivating risk reduction activities that enhance privacy often requires a legislative catalyst and new compliance frameworks.

New Zealand’s new Privacy Act comes into play on 1st December 2020 and I believe there are ways that security professionals can leverage key aspects – especially mandatory breach notifications – to focus both individual and organisational efforts on securing personal information and preventing privacy harms.

The following slides were presented to ASIS NZ members on Wednesday 19th August 2020 where I used historic data from the FTC’s privacy enforcement regime and the first year of Australia’s Notifiable Data Breach scheme to identify actionable insights that can be applied in our day to day lives to build a stronger security culture:

Actionable insights from FTC and OAIC data:

FTC analysis…

  • Focus on information handling – limit access, encrypt data at rest, dispose promptly (54%)
  • Improve processes – monitor systems and data, patch systems, train staff (33%)
  • Manage consumer expectations – ensure privacy notices are accurate and consent is explicit (13%)

OAIC analysis…

  • Understand your data holdings and secure PII
  • Test data breach response plans
  • Review contracts and document accountabilities for investigating breaches, assessing harm and notifying individuals
  • Draft notifications and plan your comms strategydon’t notify on a Friday!
  • Support individuals to mitigate the impact of a data breach

Preparing for the Privacy Act presentation – slides from OPC summarise the keys points including appointing a Privacy Officer, preparing staff and using personal information safely.

Links

Privacy Commissioner guidance

More importantly, it has to be recognised that true compensation for privacy breaches may be an unattainable goal. It is extremely difficult to compensate a person meaningfully for a wrongful disclosure of personal information, for example. The person cannot be restored to his or her original position. Once information is disseminated, the subjects of it permanently lose the measure of control they once had over that information.

Quantum of Damages

FTC enforcement actions

Office of the Australian Information Commissioner Notifiable Data Breaches scheme

Privacy resources

Home » About Ubiquitous Security » Crossing the streams: How security professionals can leverage the NZ Privacy Act 2020 to build a stronger security culture