By Eric Keser, Head of Security Advisory at Pure Security
New privacy laws in New Zealand mean Australian businesses holding personal information about New Zealand residents will not only need to report data breaches, where Personally Identifiable Information (PII) is accessed by unauthorised users, but, for the first time, from December 2020, will also have to report when that data becomes inaccessible. In this important change, NZ privacy laws will differ from Australian law.
In an age where ransomware, a computer system failure, or the sudden disappearance of a cloud service can make PII inaccessible, New Zealand’s proposed data breach laws will require Australian businesses to report when data can’t be accessed where the loss of access causes harm.
Importantly, information does not need to be stolen to trigger a report – it just needs to be inaccessible. Inaccessible information could include data with an obvious high availability requirement such as patient medical information in a hospital, or even potentially sales data for a retailer or energy use information at a utility.
CIOs, CISOs and CSOs in Australia are obliged to have processes in place to ensure PII is protected and that, in the event of a breach, procedures for notifying affected parties and the Office of the Australian Information Commissioner (OAIC) are executed within specific timeframes. But those obligations for entities also operating in NZ are now only part of the story. Legislators in New Zealand will enact a notification scheme for when PII is inaccessible taking effect 1 December 2020.
This broader view of what a notifiable breach is, means Australian businesses dealing with New Zealand residents will also need to report when simply the access to PII is lost. Section 117 (1) of the New Zealand Privacy Bill defines a privacy breach as either “unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or an action that prevents the agency from accessing the information on either a temporary or permanent basis.”
For senior IT leaders, threats such as ransomware and denial of service attacks which can make data inaccessible, and potentially lost forever, are a reportable incident under the new rules proposed by the New Zealand Privacy Commissioner. Even a system outage that limits customers from accessing PII could result in a business being obligated to notify the New Zealand Privacy Commissioner.
Reports from a number of security vendors tell us that Australia is a prime target for ransomware attacks and that the number of attacks during the COVID-19 pandemic has escalated. Looking at just one sample of data from 2019, there were over 2,800 ransomware incidents in Australia – all of which interrupted access to data. And other recent data shows that denial of service attacks that block access to systems were increasing in both number and magnitude with Australian businesses seeing about ten of these attacks each hour. Over the same period, the OAIC reported fewer than 1,000 reportable breaches.
Even accidental errors can prevent access to data. Anything from forgetting to review a software license agreement or SSL certificate through to hardware failure on a network can result in a loss of access to data.
In other words, unauthorised access to PII is just a small part of the problem. During those reported ransomware attacks in Australia, system recovery took, on average, over two weeks. And we know from the reported ransomware attack on the Cabrini hospital in 2019 not only was a large amount of PII inaccessible during the attack but that some of the data was never recovered
With over a quarter of reported cyber attacks resulting in loss of access to data, this change to New Zealand’s legislation means the number of reportable incidents is likely to increase significantly.
The notification regime in Australia does not compel businesses that are subject to the Privacy Act to notify anyone where PII is inaccessible. It does not even require a business to notify anyone if the data is permanently lost. There is some provision for ASX listed companies to provide notifications to the Australian Securities and Investments Commission under ASX Listing Rule 3.1. This says companies are obligated to disclose any information that a reasonable person would expect to have a material impact on the value of a company. But that is not specifically focussed on the impact of cyber incidents and their effect on access to PII or other types of data.
The New Zealand legislation provides helpful guidance to all, even those only concerned with the Australian Privacy legislation, that serious harm can also be caused by the loss of access to PII. Only time will tell how the Australian Commissioner, and the courts, treat Australian’s definition of a notifiable breach, and whether or not they will consider loss of access to PII in due course.
Even if your company doesn’t conduct business across the ditch, or in other overseas jurisdictions, it is wise to ensure your privacy controls and response plans consider the loss of access to PII also, and not just disclosure to unauthorised persons.
CIOs, CSOs and CISOs should have processes in place to mitigate the risk of loss of data access as well as unauthorised access. This isn’t just to meet a regulatory or compliance requirement. It makes good business sense.