It’s obvious cybercriminals are breaking the law, but what exactly are the responsibilities of a business that suffers a data breach as a result of an external attack on their system? For many years, that’s been a legal grey area.
If a small business suffers from a phishing attack, does it have to alert the relevant authorities? If the personal data of that small business’s customers or staff is potentially compromised, do they need to be informed? And if the small business provides misleading information about the cybersecurity breach it suffered, can it be sued or fined?
New Zealand gets with the privacy program
If all goes to plan, there will soon be clear answers to those questions. New Zealand is in the process of making its privacy laws fit for purpose in the 21st century by conducting a legislative overhaul of the Privacy Act 1993. It’s an overhaul that will bring that Act into line with privacy frameworks such as the EU’s General Data Protection Regulation and the Australian Privacy Principles and Notifiable Data Breaches scheme as of 1 November 2020.
Long story short, New Zealand businesses will soon need to notify regulators of privacy breaches that cause, or are likely to cause, “serious harm” to any affected individuals. A person or organisation that obstructs or hinders the Privacy Commissioner, or makes false or misleading statements, could be liable for a fine of up to NZ$10,000.
The reality of cybercrime
You probably know of at least one SME owner who has been targeted by cybercriminals and the global statistics make for frightening reading. For instance, a Cybersecurity Ventures report predicted the annual cost of cybercrime will reach US$6 trillion (NZ$10 trillion) by 2021.
Malicious actors from all over the world have New Zealanders in their sights and they will take advantage of any opportunity to get under their guard.
For example, as soon as COVID-19 captured people’s attention, national cybersecurity agency CERT NZ started getting reports of online criminals trying to get Kiwis to download infected attachments that supposedly contained COVID-19-related medical information.
The cost of complacency
Crombie Lockwood group broking manager Jan Rodgers says she’s noticed a significant rise in both attempted and successful data breaches since mid-2019. “Cybercriminals will attack any industry and anybody,” she says.
“Cybercriminals will attack any industry and anybody.”
Joseph Fitzgerald, a senior associate at Wotton + Kearney legal firm, warns that even the smallest businesses will be subject to the revised Privacy Act.
“The notification requirement will be completely agnostic,” he says. “[It] will not differentiate between a national company with multiple regional offices and several hundred staff, or a local lawn-mowing contractor who holds the email addresses of a handful of clients.”
Under the revised Privacy Act, that lawn-mowing business will not only have to deal with having money stolen or extorted, it will likely also have to inform their customers, staff and suppliers that they failed to protect their data. On top of the financial loss, it is probably going to face a reputational one, too – one that will make it harder to hold on to existing customers and attract new ones.
19 out of 20 businesses are unprotected
“Unfortunately, only about 6% of New Zealand businesses have taken up cyber insurance,” Rodgers says. “All businesses need to be more vigilant and look at their policies and discuss their coverage. That’s what Crombie Lockwood brokers are here for.”