Reseller News

Channel weighs in on NZ data breach notification laws

Legislation expected as part of changes to the Privacy Act now being drafted by the Ministry of Justice

Data breach notification is widely expected to become mandatory in New Zealand, positioning the channel as subject matter experts across the country.

As part of changes to the Privacy Act now being drafted by the Ministry of Justice, Privacy Commissioner John Edwards has recommended fines of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate being breached.

Despite the direction of travel being clear in New Zealand, barriers still remain, with government approval still required.

Should the expected green light occur however, the finer details of a potentially complex law will need to be ironed out as the country aligns legislations with the rest of the world.

On the presumption that approval will be granted, the channel will be the first responders, fighting on the front line line as Kiwi organisations grapple with the law changes.

Security, and all it encompasses, continues to dominate the agenda of executives in organisations up and down the country, with trusted third-party advisors sought to help navigate through the murky waters of legislation.

“New Zealand has lagged behind our major trading partners in this area and the announcement by the Privacy Commissioner shows that the issue of data security is taken very seriously,” Origin founder and CEO, Michael Russell, told Reseller News.

“We welcome this announcement. It’s good news for consumers, the public and businesses that work with organisations that hold their data – and isn’t that just about every business these days?”

According to Russell - drawing on 20 years of technology expertise in New Zealand - organisations across the country will now be held to a higher standard of transparency, alongside being accountable for the robustness of IT systems.

“Businesses should be doing everything that they can to keep information secure, whether it be data protection, securing IP and customer information or preventing access to systems,” Russell advised.

“These are all highly valuable commodities and the onus is on all businesses to prevent, detect and disclose breaches. It’s part of good governance and risk management and something that every organisation should be devoting a lot of board and management time to.”

For Russell, organisations can ill afford to treat data security as an “IT business”, insisting that the threat now represents a business risk issue, warranting a dedicated allocation of resources to manage and mitigate.

“Information security will be an area of heightened focus for organisations,” he added. “It’s an increasingly specialist area and one where we’ll start to see an uplift in outsourcing activity as companies begin to realise the time and cost to do it well, and the risks involved in attempting to manage it without specialist dedicated resource.”

The latest push for change from the Privacy Commissioner comes 18 months after a huge hack of Yahoo email accounts, a service then used by Spark locally, impacting more than 130,000 Kiwi users.

During the breach - which exposed more than five million user accounts - Edwards insisted that the hack “exemplified the international nature of privacy”, before hammering home the importance of reform through mandatory breach notification laws.

“This is an inevitable move as we increasingly became part of a global, digital economy,” SecureCom director of sales and marketing, Greg Mikkelsen, told Reseller News.

This has just taken effect in Australia and MBIE have been signalling for some time that New Zealand will follow Australia with regards to mandatory reporting of breaches.

“It’s also important for investor and business confidence that we are known for having a transparent regime.”

In surveying the current state of the market, Mikkelsen said most customers are aware that some type of mandatory reporting is on the cards, with cyber security continuing to be a high level agenda for board and executives.

“We have seen a lift in companies wanting to train their staff in cyber awareness training and we expect that to continue for the foreseeable future,” he added.

NZ vs. rest of the world

As reported by Reseller News, the Privacy Commissioner warned the new government that the country's competitive trade advantage with Europe is at risk because current privacy laws have fallen behind international standards.

As a result, further reforms were now required urgently.

“If this happens then the upside is that New Zealand will have caught up with the rest of the world,” Duo co-founder and director, Kendra Ross, told Reseller News.

Read more on the next page...

Page Break

“But to think a mandatory breach notification law is the silver bullet to cyber breaches is incorrect, although it is very good business for the compliance and insurance people.”

According to Ross, in citing global research, when such legislation is enforced through sizeable fines, businesses in fact do the “bare minimum” to meet the compliance standards in place.

“They don’t take a long-term approach in their cyber security strategy,” Ross added. “Attackers are becoming more sophisticated and we are of course becoming more connected, therefore more breaches will continue to grow with or without this law.

“This can’t be all the government does to protect New Zealand and its people, it will be a failure if it is.”

From a global perspective, worldwide spending on security-related hardware, software, and services is forecast to reach US$119.9 billion by 2021, triggered by new threats, increased regulations and digital investments.

Specific to the channel, more than 80 per cent of security spending during 2017 covered services and software, spearheaded by managed security services (US$15.25 billion) and integration services (US$12.5 billion).

“Cyber security breaches is a global issue that affect New Zealand organisations as much as it does international organisations,” Dimension Data head of security practice, Matthew Lord, told Reseller News.

“We believe that the proposed mandatory disclosure changes will have a positive impact, creating a level playing field of trust and a de facto minimum acceptable cyber security compliance requirement.”

Lord said the legislation would however mean that Kiwi organisations will have to increase overall maturity levels in the context of cyber security policies, processes and technologies.

“This is in order to avoid breaching their customer’s trust, or operating below acceptable cyber security standards should such a breach occur,” Lord explained.

“Dimension Data, part of NTT Group, has one of the largest cyber security companies in the world, and is already working with organisations to increase their level of cyber security maturity, including how they protect and respond to data breaches.”

As outlined by Plan B managing director, Ian Forrester, the digital economy and the resultant generation of data is growing "faster than ever before", with regulation "playing catch up".

“The world is moving to address this and if New Zealand is to remain competitive in an increasingly global economy, it will have to follow or risk getting left behind,” Forrester said.

“Australia has made the move to address data breaches so it is now only a matter of time before we do the same.

“When we do, penalties will have to apply if it is to have any impact so I would expect some significant changes in the way businesses operate, manage and protect their networks in the future, as this is the gateway to their most valuable asset, their data.”

Yet despite a channel consensus that change must be instigated at both government and business levels, challenges remain.

“Data breach notification is a very complex subject, it is double-edged and is not a silver bullet,” Datacom general manager of cyber security, Mark Ellis, told Reseller News.

“With that acknowledged, breach notification is an essential measure to meet our privacy and trust expectations (legal or morale).”

In looking ahead, Ellis said the government will need to "take care" to ensure that the processes defined deliver the outcome "everyone wants and needs" in New Zealand.

“As cyber risk continues to gain global visibility, having robust legislation will become an important component for international trade,” he added.

In 2018, Kiwi businesses will go to battle in the pursuit of recruiting cloud and security expertise, as the technology industry once again faces a skills shortage.

As digital transformation deployments increase across the country, coupled with potential new legislation, cloud and security will underpin board-level strategies in the next 12 months, as organisations seek both internal and external guidance.

“CCL remains very much client-focussed and ultimately in any data breach situation our focus is on what’s right for the client, and that may include notification,” CCL CTO, Jon Waite, added. “We believe all organisations should do the same.”