A data breach in an agency that handles private data is a troubling occurrence. In this modern digital age, so much of people’s private information is stored in various databases. We trust reputable organisations and agencies to keep our data safe, and generally they do—but a data breach can happen just about anywhere. Mitigating a data breach is costly, time-consuming, and difficult for the agency involved.
Recent updates to the Privacy Act have placed even tighter regulations on organisations experiencing data breaches. It is now mandatory for an agency to notify both the affected individuals and the Privacy Commissioner when a breach happens, whereas previously this was not required by the law. Failure to notify the relevant parties can result in fines of up to $10,000. Security of data has also been a focus on the global stage: in May 2018, the General Data Protection Regulation law gave EU citizens the right to ask for their data to be deleted and requiring explicit consent for companies to acquire it—as well as mandating that people be immediately informed of any breaches, similarly to New Zealand’s new legislation. Across the Pacific in California, the CCPA (California Consumer Privacy Act) is set to become law in 2020. It allows the state’s residents to access their information, ask whether it’s being collected or sold and to forbid that from happening without any adverse effect on the services and prices they receive. With the GDPR bringing fines as big as €20 million and the CCPA much smaller but still significant fines of up to USD$7,500, this is something that should be noticed and noted by Kiwi businesses—because those who have Californian or EU clients will need to abide by the new rules. That might mean applying the standards across your entire database, or carefully segmenting it should you wish to apply them according to location.
Breaches can and do happen frequently in many different organisations, as evidenced by a recent one that affected the New Zealand Transport Authority. The agency said in a statement that “the Google API was incorrectly left open as part of the Traffic Watcher pre-production set up”, and investigations have attributed the breach to lax attitudes surrounding cyber security, particularly amongst short-term contractors. The Ministry for Culture and Heritage has also recently experienced a breach, which compromised passport, drivers license, and birth certificate information of hundreds of people.
While no agency or system can be completely safe against cyber attacks, a robust security plan can help to ensure that private data is kept safe. If you are interested in learning how your organisation can increase security or attain certification and accreditation to ensure NZISM compliance, get in contact with CANDA, cyber security specialists.