John Edwards (Privacy Commissioner)
The Office of the Privacy Commissioner has issued its first compliance notice since receiving new powers under the Privacy Act 2020 to the Reserve Bank of New Zealand (RBNZ), the move triggered by a cyber attack in December last year.
In early January, the Reserve Bank of New Zealand – Te Pūtea Matua – revealed it was responding ‘with urgency’ to a breach of a third-party file sharing service used to share and store some sensitive information.
It emerged that, in December 2020, the Reserve Bank had become the victim of a cyber attack, which raised the possibility of systemic weaknesses in the RBNZ systems and processes for protecting personal information.
The breach occurred via a legacy Accellion file sharing system called File Transfer Application – FTA, which the bank has since replaced with a new system.
As a result, RBNZ instigated an internal and external review to identify any shortcomings in its operations.
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5 – storage and security of personal information.
Following the review of the privacy breach, the Privacy Commissioner determined that the Reserve Bank failed to adequately protect a subset of personal information it held despite security safeguards.
The Reserve Bank has now instigated a programme of work to improve policies and processes for protecting personal information.
The compliance notice issued by the Privacy Commissioner as a result of the incident is designed to provide a template for the Bank to report on to the Commissioner, confirming improvements to its policies and procedures aimed to make its systems more secure.
Specifically, the compliance notice requires the Reserve Bank to take specified steps by certain dates in order to comply with information Privacy Principle 5 – storage and security of personal information.
Principle 5 states that organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.
“The cyber attack was a significant breach of one of the Bank’s security systems and raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information,” said Privacy Commissioner John Edwards. “We are heartened by the speed and thoroughness of the Bank’s response.
“We were notified as soon as the cyber attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack,” he added.
According to Reserve Bank Governor Adrian Orr, the Office of the Privacy Commissioner’s findings were consistent with the findings and recommendations in the KPMG review.
“We accept these findings and take full responsibility for the shortfalls identified in our systems and processes,” he said. “We have a detailed programme of work underway to address these.
“This work started shortly after the data breach incident through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua,” he added.
