NZ Incident Response Bulletin - May 2023

The May edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being?“Privacy”.

Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.

We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.

Our Views:

Privacy in 2023 and beyond… predictions

Increasing impacts on data privacy because of cyber-attacks

In New Zealand we have seen an increasing number of data breaches reported to the Office of the Privacy Commissioner over the last year and this is expected to continue. More importantly there was a 41% increase in privacy notifications that met the serious harm threshold. This serious harm can be emotional harm, reputational harm, identity theft or financial harm. At this stage there is no indication that cyber and data breaches will slow down and in fact it seems likely that New Zealand will see a continued increase in cyber incidents that impact privacy.

Closing the regulation/expectation gap

Current studies indicate a mismatch between users who want more personal data protection and the regulation currently in place to protect user data. It is possible that enhanced and stricter legislation will be introduced in the coming years to further protect personal information and hold to account companies who fail to maintain adequate data security controls and privacy procedures. There is also a call for much greater transparency in this space and companies will need to respond to this requirement.

In New Zealand, the government is already consulting on amendments to the New Zealand Privacy Act of 2020, to see whether it could further align with international privacy law such as the EU General Data Protection Regulation. This includes amendments that require users to be notified when their personal information is indirectly collected i.e.: from a third-party source.

The legislation of the Consumer Data Rights (CDR) Bill is also underway in New Zealand and may be finalised this year. This bill would allow consumers to securely share data held about them with trusted third parties. Also under consideration is regulating the use of biometric data .

Adjustments to the regulatory landscape as discussed above will assist in closing the expectation gap between consumers and data custodians in the next year by giving users more visibility and control into where their data is held. Any changes like this however will require increased visibility and flexibility of data management within organisations and businesses will need to remain vigilant to ensure they fully understand their obligations under privacy law.

Increase in demand for privacy-supporting technology

Increased privacy awareness is driving a demand for more technology that prioritises data privacy making technologies such as VPN, encrypted mail, and secure browsers essential. By 2024 third-party cookies should become obsolete with Google removing support for these by 2024 . New ways of enhancing user experience that also support security and privacy will be in greater demand such as browser fingerprints that can track a user without a cookie.

Privacy by design

Introducing system development frameworks that proactively embed privacy by design have become essential and it is anticipated that the use of these will continue to grow to ensure responsible use and handling of personal information. More organisations are recognising the benefits of building privacy into their systems and processes from the start including easier adjustment to regulatory requirements, ability to provide transparency to customers, and building a privacy aware culture.

Increase in demand for data privacy skills

As privacy demands grow so will the need for specific skills in this area. It is now a requirement for organisations to appoint a privacy officer who is responsible for addressing this area in the business, however there will be a growing need for system designers, developers, testers, risk managers, security analysts, marketers and more to have good awareness and skills in privacy.

Privacy breach response.

Over recent months, an estimated 20% of New Zealanders have been the victim of several large-scale cyber-attacks, resulting in unprecedented volumes of data loss. One such attack prompted the New Zealand Government to issue a notice on its website to avoid a large scale re-issuing of passports.

Critical to a victim organisation’s response, is the ability to review affected data in an efficient manner. We consider that the use of ‘technology assisted review’ is vital to the success of this process and have developed a new offering we refer to as the Document Analyst Review Tool (DART).

Cyber Governance:

In recognition of Privacy Week 2023 (8 to 14 May 2023), we conduct a deep dive into the key foundations of Privacy in New Zealand.

Foundation 1 - Privacy 101 in New Zealand

We detail below the basic privacy resources you should be aware of as an organisation operating in New Zealand.

The Privacy Act 2020

This is the core legislation in New Zealand governing how organisations can collect, store, use and share personal information. All organisations must be familiar with their obligations under this act.

The 13 Privacy Principles

The 13 privacy principles are encompassed in the privacy act, and they govern how your organisation should collect, process, and use personal information. Good examples of how these principles are applied in the context of a business are given by The Office of the Privacy Commissioner here .

Privacy Codes of Practice

There are currently six industry specific codes of practice in New Zealand which modify the operation of the Privacy Act rules for specific organisations, industries, or types of PII.

Civil Defence National Emergencies (Information Sharing)

Credit Reporting Privacy

Health Information Privacy

Justice Sector Unique Identifier

Superannuation Schemes Unique Identifier

Telecommunications Information Privacy

Foundation 2 - Protecting Data Privacy – The Basics

The more proactive you become about managing data, the less likely it is your organisation will suffer a costly incident from which you cannot recover.

Steps for Organisations

• Drive a culture of respect for data privacy.
• Assess your current data privacy practices.
• Review current data collection, processing, use and storage procedures against relevant regulatory requirements and desired organisational stance.
• Maintain oversight of partners and vendors – ask to see their privacy policy and procedures.
• Implement a data privacy framework (see our info on privacy frameworks).
• Educate your team (and your wider network) on all thing’s privacy. Knowledge is power!
• Ensure you have a privacy policy and that your team, partners, and customers know your privacy stance.
• Include privacy education in the onboarding process for new team members, partners, and clients.
• Remind your teams to update their privacy settings on both work and personal accounts regularly.
• Ask your employees to consider how privacy applies in their individual roles and suggest improvements or highlight daily challenges.

Steps for Individuals

Data is money. The data analytics market was worth over $270 billion globally in 2022 and this is predicted to rise to $650 billion in the next five years. Your data is a slice of this multibillion-dollar industry.

• Understand the trade-off between convenience and privacy.
• Make sure you are making informed decisions around when, how and how much you decide to share and consider whether the benefits of sharing are worth the amount of information asked of you.
• Be wary of services or apps that require you to share irrelevant information.
• Delete unused applications.
• Protect your data.
• Enable MFA and create long unique passwords for each online account.
• Update your software – enable auto updates for all security updates.
• Report phishing
• Customise your privacy settings to your personal risk tolerance level.
• Check your security and privacy settings on all web apps and set them to share information at your level of comfort. Note: Some default settings you should turn off, unless required for the app to function are Camera, Microphone, Location, Sync contacts.

Foundation 3 - Privacy Frameworks

Why implement a framework for data privacy and protection?

According to a recent study by Cisco , organisations who have more mature privacy programmes benefit by finding it easier to comply with regulatory landscape shifts and minimise their privacy risk. To build privacy maturity, a framework can be used for evaluating, monitoring and improving your privacy programme.

• A framework is not a standard and therefore offers guidance rather than best practice. It allows flexibility in interpretation and room for growth and adjustment. This is important as while data privacy regulations are similar around the world, they are not identical. Implementing a framework will allow you to meet most relevant regulations whilst enabling you to customise for your specific circumstances as you go. A framework will also adjust to continually evolving regulations.
• Using a framework for guidance means you do not have to start your privacy journey from scratch. They act as a great starting point speeding up the process of privacy management in your organisation.
• Following a well-known and respected framework will minimise your risk of a privacy incident.
• Implementing a framework demonstrates an intentional effort to protect data privacy and these efforts are viewed favourably by regulators and insurance companies. An embedded framework is also beneficial during processes of merger and acquisition where compliance is spotlighted.

Adopting a Privacy Framework

There are several privacy frameworks available globally including specific industry examples such as the American Institute of Certified Public Accountants PMF , however the most relevant and recognised in the New Zealand context are as follows:

NIST Privacy Framework

An excellent choice if you already use the NIST cybersecurity framework (CSF) as this privacy framework follows the same structure. It is the most comprehensive privacy framework and is comprised of three components: Core, Profiles and Implementation Tiers which reinforce privacy risk management by connecting business drivers, roles and responsibilities and privacy protection activities. NIST resources are also by and large free, in order to encourage the adoption of a structured risk management framework.

ISO/IEC 27701 – International standard for privacy information management

Generally recommended if your organisation is aiming for ISO/IEC accreditation, this compliments ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS) and is intended to allow organisations to efficiently implement compliance. All ISO resources must be purchased.

CIS Controls v8 Privacy Companion Guide

While not a comprehensive framework as such the CIS privacy companion guide supports the objectives of the CIS Controls by aligning privacy principles and detailing privacy considerations relevant to each control.

Questions to ask when deciding to implement a framework.

• How will the framework benefit our organisation?
• Does it align with our strategy and goals?
• What frameworks are already in use in the organisation?
• Will a new framework compliment, conflict or overlap existing efforts?
• Will it unify our privacy, security, and compliance areas?
• Which business processes will this impact?
• What regulatory requirements are in scope for our organisation?
• Who needs to be involved in this implementation?

Steps for implementing a framework.

• Map regulatory or compliance requirements against selected framework(s) used to ensure coverage and alignment.
• Tailor the framework to your unique organisational requirements – i.e. modify the controls to focus on your key risk areas, operating environment, and business functions.
• Document exceptions – not everything in the framework may be relevant or possible for your organisation. Document where you choose not to implement a control and why to ensure an auditable decision trail.
• Communicate and educate – successful adoption requires communication and adequate support. Ensure any areas of your organisation that need to make changes fully appreciate the process and the reasons why this is so important to adopt.

Foundation 4 - Creating a Privacy Policy

All organisations should document their stance on privacy using a privacy policy. You do not need to reinvent the wheel when creating your policy as there are plenty of good local examples online to kick start the process, however you must ensure the decisions reflected in your policy and the language you choose to convey these is consistent with your unique risk tolerance, culture, and brand. Simple and engaging language works best to enhance comprehension. Also refer to this useful Privacy Statement Generator tool from the Office of the Privacy Commissioner.

Often privacy policies are categorised as either external or internal. Your external policy enables your organisation to be transparent with your customers and partners around how you collect, use, and protect personal information; whereas your internal privacy policy defines your organisation processes around privacy and sets the expectations for your teams around how they must handle data and uphold the privacy of customers, fellow employees , partners, and vendors.

What should your privacy policy cover:

1. Contact information: Organisations full name, address, data privacy officer details and contact method such as a dedicated privacy email address.
2. Types and categories of data collected: a description of the categories of personal information you collect, sell, share, or disclose. Additionally, a description of the types of personal information collected from users.
3. Data sources: A description of how you collect or source data.
4. Purpose for data collection: A statement indicating how you intend to use data collected. For example, is it to prevent fraud or to improve customer service. Be as specific as you can. If you are unsure why you are collecting the data, or the reason is overly broad, more thought is required around whether this data is needed.
5. Legal basis for data collection: Specifically state any acceptable legal basis behind collection data.
6. User rights: Outline the users rights and how they can exercise their rights.
7. Who you share data with: You should disclose whether you sell or share personal information and be as transparent as possible around these arrangements.
8. Whether you transfer data across borders.
9. Whether any data collected is mandatory or optional: Give a clear indication of which data or category of data collected is mandatory and which is shared voluntarily and the impact on service. For example, users may decline to share data collected for purely marketing purposes.
10. Data retention: Outline your organisations data retention policy. How long will the data be kept and under what conditions will it be deleted. Note: A recent media release by the Office of the Privacy Commissioner highlighted the importance of clarifying your data retention and described how “Data retention is the sleeping giant of data security”.
11. Security Measures: How are you protecting data collected?
12. Effective date: Is this policy up to date?
13. How will you communicate policy changes?

Foundation 5 - Privacy Breach Response

As experienced incident responders and forensic examiners, we know that time is of the essence in a crisis. In the event of a data breach, customers expect to be kept up to date as to how it may impact them and what steps they should take. As specialists in the forensic collection and examination of data from a wide variety of sources, we apply advanced investigative and analytical techniques when responding to a data breach.

Our Data Breach Response service is summarised in this guide , which contains ten factors to consider in order to be better prepared for a potential data breach, including:

• References to the recently updated Privacy Act 2020
• Resources to help you improve your level of preparedness
• Practical steps such as creating plans and playbooks
• Tools to recover from a breach such as dark web monitoring

Document Analysis Review Tool (DART)

As an incident response firm, we specialise in provide forensic and privacy breach response services. We continue to experience increasing demand for post privacy breach services and compromised data reviews to comply with regulatory and commercial obligations. In response, we have recently expanded our ‘Document Analysis Review Tool’ (DART) suite of services to include several leading cloud-based review tools - Canopy and Reveal . IRS leverages these tools to assist lawyers in the efficient review of compromised documents.

DART kick starts your review by prioritising relevant documents. The first phase involves leveraging the extensive list of keywords we have extracted from the New Zealand Governments identity guidelines. Once these responsive documents have been reviewed, the second phase uses the Privacy AI model we have developed, which conducts ‘continuous active learning’ to ensure you are being presented documents that are more likely to be responsive.?DART then produces reports to ensure Courts and interested parties have independently verifiable methodologies and results.

The Bulletin:

• To obtain a full copy of the Bulletin, please visit?https://incidentresponse.co.nz/bulletin