72 hours to act

What directors need to know about cyber breaches and the Privacy Act, starting with the legal and moral obligations.

type
Article
author
By Phil Dobson, Acting GM Aura Information Security, part of the Kordia Group
date
30 Sep 2022
read time
4 min to read
string starting to be lit on on fire

Time for some bad news. A cyber security breach of some form is almost inevitable so treat it as a matter of when, not if.

That should tell you one thing straight away. You need to know in advance what to do when a cyber security breach occurs. Part of your plan must include knowing your legal obligations for notification under the Privacy Act, and your moral obligations to customers and any related parties who may be affected.

One of the positive developments of cybercrime affecting so many organisations is the de-stigmatisation of falling victim. In other words, it is practically expected that your company will be targeted and, instead of victim-blaming, you are more likely to experience sympathy and consideration from consumers and fellow business leaders.

These days, it would only be in extenuating circumstances – for example, in a case of extreme negligence – where righteous blame or criticism might come your way.

The Privacy Act 2020 

The Privacy Act was updated in recent years to reflect changing circumstances, including how we use and depend upon technology and data systems. The act now requires notification to the Privacy Commissioner of any privacy breach where there is reason to believe serious harm has been caused or is likely to be caused to any individual.* The affected individuals must also be notified.

Eagle-eyed (or, indeed, legal-eyed) directors will immediately note room for interpretation within this stipulation. What constitutes a privacy breach or serious harm?

The first is addressed, with a privacy breach defined as any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information, or any action that prevents the agency from accessing the information on either a temporary or permanent basis.

Assessing the likelihood of ‘likely to cause serious harm’ is not as simple, but factors to consider include:

  • If information is personal and sensitive in nature (credit card details, medical records, etc).
  • What harm might be caused to affected individuals?
  • Who or what organisation might obtain compromised personal information?
  • Was the personal information protected by security measures?

There is also the proviso of ‘any other relevant matters’, leaving the gate open again for interpretation.

Notably, the obligation is reporting to the Privacy Commissioner and affected individuals ‘as soon as practicable’.

However, the expectation is the commissioner is notified within 72 hours.

Notification is essential for several reasons. The commissioner can guide you on any other notifications you may be required to make, which may be industry-specific, while data regarding the frequency of cyber breaches is invaluable in improving detection and prevention.

Additionally, notifying CERT is advisable too. By giving the Computer Emergency Response Team notification of a breach you are likely to receive assistance with resolving your issue.

Moral obligations

While the legal requirements provide some guidance on what constitutes a breach, most directors will have a clear personal interpretation of their moral obligations.

You will have a good sense of what information is sensitive within your organisation. You will also know about the data which your customers, suppliers and other related parties might not want to be made available, and have a keen sense of who and where notifications should go. This means your networks can take their own precautions against falling victim to a similar scam, or an extended version of the one compromising your own systems.

It is advisable to use the moral compass as a guide, alongside the legal one. Again, there is little-to-no stigma involved, and cleaning up a breach is more effective and arguably easier when handled with bona fides.

Your company’s good name and trust depend on being able to provide clear, helpful information to your stakeholders and customers. Taking the right approach is key to moving on from a breach with your reputation relatively intact.

Get the plan together

An incident response plan which includes notification is a must for any organisation. While 72 hours may seem like a reasonable amount of time to gather a full and accurate picture of what happened during an incident, these hours can evaporate quickly when you are in the midst of a crisis.

“Eagle-eyed (or, indeed, legal-eyed) directors will immediately note room for interpretation within this stipulation. What constitutes a privacy breach or serious harm?”

 Having a plan in place that sets down how information will be gathered and communicated to the relevant stakeholders will ensure the process runs as smoothly as possible.

Exactly what constitutes an incident response plan is a ‘how long is a piece of string’ situation. Your plan is built on a stack of variables, including industry type, threat profile and technology maturity to name a few.

However, common to most plans will be establishing a ‘war room’, from which all command, control and communication is run. This doesn’t have to be a physical space; now that many of us work remotely, this could also be a Teams group or slack channel.

Within the war room, you would have an incident controller in charge of managing actions and responses. In some cases, executive teams are split in two, with one running ‘business as usual’ and the other handling the crisis. In this group include representatives from various departments within the business, including legal and communications staff.

Create a run sheet of activities and responses. While an actual event is likely to differ from the planned one, just having some guidance helps focus the mind and guide actions when the worst does happen.

Build out a scenario in your plan which would see you notifying customers and the Privacy Commissioner. Consider in advance what external support you may need to do this – be it a law firm, or even your PR agency, and make sure they are factored into your plans.

There is plenty of help available for plan formulation from online resources and cyber security providers. If you don’t have something in place already, there’s no better time than the present to start the process of building one.

As stated already – your preparedness can only benefit from treating it as a matter of when, not if. 

*The Privacy Commissioner can be notified via www.privacy.org.nz 

Kordia logo