Cybersecurity and Privacy Breach Notification

When we talk about the impact of the COVID-19 pandemic, we tend to think about the health or economic impacts. Less well understood are the opportunities that have opened up for cyber crime, as major global economies looked to move online almost overnight.

New Zealand is not immune from these attacks. In September this year, NZX was attacked over the course of several days, and trading had to be suspended until the problem was resolved. It seems that a number of the companies trading on the exchange were also targeted, although they were advised by the Government Communications Security Bureau to avoid public comment.

As well as the disruption to normal business trading, those attacks carry a significant cost in terms of reputational damage, and the technical expertise required to investigate the attacks and secure the IT systems affected.

The challenges of working from home

New Zealand’s rush to adopt a new way of working when nationwide lockdowns were announced left cyber backdoors and windows open at many Kiwi businesses, making them vulnerable to attacks. New Zealand Police estimated that during lockdown Kiwi businesses lost $2.2 million to scammers.

During the lockdown period, scammers also preyed on people’s emotions by attempting to extort social media passwords in order to access urgent information about the ever-evolving pandemic. CERT NZ – the Government agency in charge of New Zealand’s cyber preparedness received steady reports of online criminals using the pandemic as an opportunity to carry out online scams and malicious cyber activity.

Keep yourself and your colleagues safe

Regardless of your practice’s budget for cybersecurity, there are some basic things you can do right now to keep yourself and your colleagues safe from cyber crime, and to protect your patients’ information.

1. Take your passwords seriously

Put simply, you need strong passwords, and you need to change them regularly. It might be convenient to use “password” for everything but you’re putting yourself at severe risk. Ideally, your passwords should have a mixture of lower- and upper-case letters, numbers and special characters.

Once you have a strong password, you should avoid using it for all your devices and applications and aim to update it every few months. If you’re finding it difficult to keep track of everything, a password manager is a good idea – it’s effectively a vault for all your passwords.

1. Check your privacy settings

Know and control who can see your information. It might seem harmless to share pictures of friends and family gathered at special occasions but remember that the more you share, and the more identifiable everyone is, the more data you’re potentially providing cyber criminals.

Check the privacy settings on your social media accounts so that only friends and family can see your full details. Unlike or Unfollow social media pages and leave groups that you no longer have an interest in.

The basic principle is to give out as little information as possible when you’re online, particularly when you’re signing up for what are marketed as ‘free’ services or apps.

1. Stay on top of all the relevant software updates

Keep up-to-date with any software updates that are issued for your phone, computer or IT system. Not only do those updates improve the usability of your system, they also contain regular security upgrades to patch any flaws.

1. Use two-factor authentication

Two factor authentication (2FA) is a way of double-checking someone is who they say they are when they try to login to a system. So, as well as providing their username and password, they will often be asked to enter a special code that is texted to their phone.

You can add 2FA to all sorts of things but it’s essential on systems like email or accounting software.

These are a few basic tips to get you started but cybersecurity is something you need to take seriously. For more information, check out the resources at www.cert.govt.nz.

Privacy Act 2020 changes

The major changes to the Privacy Act (effective 1 December 2020) are the mandatory notification to the Privacy Commission of some privacy breaches and the requirement to advise patients/clients that personal information collected will be disclosed outside NZ (IPP 12 – Disclosure of personal information outside NZ).

Agencies will be legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:

• People can’t protect themselves from the impact of a privacy breach if they don’t know a breach has occurred
• The speed that data can be transferred and copied means the potential for harm is much greater
• Learning from privacy breaches that have already occurred can help prevent similar beaches in the future

If a notifiable privacy breach occurs the business should notify the affected people.. The Privacy Commission has developed a Notify Us tool which will help you to identify if the breach meets the notification threshold. Failure to notify could result in a penalty of up to $10,000.

Examples of likelihood of serious harm being caused by a breach include:

• Physical harm or intimidation 
• Financial fraud including unauthorised credit card transactions or credit fraud 
• Family violence
• Psychological, or emotional harm

Find out more about serious harm.

New IPP12 – relates to the sharing information to overseas agencies.  Agencies are required to tell individuals that their information will be shared overseas unless the overseas company complies with Privacy Act 2020 or comparable.  This notification doesn’t apply if practices are using cloud computing where the overseas agency is only holding the information of behalf of practice.