Replay: Data breach readiness: what every business should know

[Visual] The screen opens displaying a slide tile that says, ‘The webinar will start shortly’. The host, John Mollo appears in a small window at the top right-hand corner. Throughout the video, the webinar slides change to match what the speakers, Tom Roberts and Susan Allen, are discussing. At times John, the host will cut in – as each speaker speaks, they appear in the top corner. 

[Audio: Host/John] Once we have critical mass, we will kick off this webinar, so we will be back with you in a moment. Alright, fantastic. Looks like we have a good number of people online who have joined, so we will get things underway.

Welcome to this data breach readiness webinar, everything that your business needs and should know around data breaches. I will be your MC, my name is John Molo. I'm a team leader here, at the National Cyber Security Centre. If we jump to our next slide, uh, we have two fantastic speakers for you today.

[Slide change]

Tom Roberts works for the National Cyber Security Centre as well, he's the team leader of response and investigations. They are there to support government, businesses, everyday New Zealanders when they experience an incident, so he'll be speaking from the aspect of when we receive reports around data breaches. 

And we're also joined today by Susan Allen. Susan is from the Office of the Privacy Commissioner, the Manager of Compliance and Enforcement. As you see throughout this webinar, data breaches there is very much a privacy implication there, so it's great to have Susan with us as well.

Before I hand over to Tom and Susan, just a couple of housekeeping things. We have a Q&A box at the bottom of the screen there, so we encourage you to ask questions throughout the webinar.

If at any point I find a natural point to ask a question, I might jump in there and ask our speakers. Otherwise, we'll try to get to all the questions at the very end of the webinar. We'll jimp into our next slide. 

[Slide change]

I'll just touch on our agenda today. So, we'll be covering off, what is a data breach and how it can happen.

Some of our legal requirements around the privacy acts, including when and how to report.

What an effective incident response looks like, so when something bad does happen, how do you respond to that, and some of the resources that we have to support you around that.

And what are those practical steps to improve your organisation's preparedness, and incident response for things like data breaches?

So now, I'll hand over to our first speaker, and I believe that's you there, Tom.

[Slide change]

[Audio: Speaker/Tom] There we go. Kia ora koutou. So, I'll just go over what the National Cyber Security Centre is, as you can see there we provide advice to all New Zealanders regardless of the size and complexity of the organisation, whether they're a single person or whether a large, nationally significant organisation, so government departments, industry… certain sectors in our industry and thing like that and that's done through a couple of different mechanisms, so we've got the fantastic Own Your Online which is our sort of source of truth, where it's easy to understand resources, uh, for anyone. It's, like, the sort of thing that I could point my mum at, and she'd be pretty comfortable navigating that and finding out what she can do to keep herself secure online. But equally, we also provide services to government organisations and so that's from either national standards and security and the Information Security Manual and all these sorts of other dry documents that are important to our security.

But today, I'll go over, like, what is a data breach? And certainly, this is a big one because it happens more often than we would like. 

[Slide change]

A data breach is essentially when your private information, for whatever reason gets out of your organisation's control, or your own control, and it can happen through either being an insider can potentially do it, or more often, it's when. the network that you're on has been compromised, and things have been stolen.

There’s a couple of different motivations for that, but they generally fall within two categories, which are financial. So, you've got your cyber criminals that use the information, and they sell it. I've got some screenshots coming up that tangibly shows you what it looks like.

Then also espionage for future use sort of activities, think nation-states getting into New Zealand's networks and, and using that for their own national interests. 

[Slide change]

They can happen a couple different ways and as I touched on, there's insider threats, that's when you might have disaffected staff. Certainly, the PSR, protective security requirements website that run in with the service have advice on how to protect from insider threats. 

Equally, cybercriminals will use it for money. It's a whole economy; it's a large economy and then other people will buy that to then make more money off. They can do that through phishing emails, or they can use it through exploiting vulnerabilities in your network, they can do, sort of, social engineering, pretending to be friends, and then they go after your data. There can be inadvertent leaks as well, so sometimes, uh, you might just have the wrong person on a call chain or a signal group, or an email chain, and unfortunately, they've had access to the information that wasn't meant to be shared with them. 

[Slide change]

Largely, these are the types of effect that data breaches have, you've got your financial in there, the legal fees, there's a lot of hidden fees, with data breaches. Certainly, it's a complex situation, and people, you know whether you're paying for cyber remediation, or you're, you know, paying to have your holes patched or people might have access, you know, the data, depending on the data, that can be used for you know, criminal financial gain. 

Reputation, as we saw with the Optus breach in Australia a few years ago. They had a long, hard road for building back their reputation after their data breach and so that can really impact your brand and often that can be bigger and more long lasting. 

Legal obligations, Susan will touch on that later, there's some obligations there in accordance with the Privacy Act.

Personal information and more phishing, they sort of go hand in hand, but that they used predominantly for targeting for future use. Data will be sold on the internet; a cybercriminal will come after it. It's usually pretty cheap, all things considered, and then they'll be used for a bunch of different things, whether that's potentially making fake IDs or, you know, that sort of thing, or it's being used as another way to get into other people's networks. So it really is sort of the source of a lot of harm and a lot of spread that we're seeing.

[Slide change]

So, I'll just talk through a common scenario, and it is cyclical, and we do see it very cyclically.

Basically, what can happen is an attacker will, based on a data breach often, will send a staff member or a person, a link within their email system. It could be a job offer, a lot of times we've seen recently with nation states certainly it's a fan, or the advanced threats they use PDF docents and things like that to get past some of the initial controls and cybercriminals are adopting those more and more. 

But then they get access to the staff member or the person's credentials or their login information, or sometimes they don't even need that depending on, how the network is set up. And so that basically leaves them a door.

Right? So they've got a door to your house. Thought it was someone to come in and maybe fix the windows or something like that, and then you've given them access to your house. Once they're in there depending on your internal controls, often with a lot of smaller networks and a lot of small businesses, internal controls aren't there, and often that's out of necessity to make it easier for the internal staff to do business, but the criminal or the threat actor will get in there and move around inside the network.

Think of that as them going into your private network, they’ve gotten themselves off the internet, and now they're in your private network, whether that's your Gmail accounts or your Outlook accounts, and they're using credentials that staff member had, or potentially they've gained more, so they look legitimate as well. They're using what we call living off the land techniques.

And once they're in there, then they can start removing data and removing data can be done in various different ways. If it's a ransomware attack, they'll look to, depending on who it is, but they'll, lock it or encrypt it, and then send it out in small packets to whoever they need. So, in this case, we had an incident where we saw that there was very small amounts of data being sent away from the target, or away from the victim, over a long period of time. And I say weeks and months. It's a small, small, leech, and it’s often too small for security systems to pick up, unless they're looking for it.

Certainly, there's some great security systems out there that do that. And then in the case of a ransomware, that's when they lock you up, and they'll lock down your network, because they've gained enough privilege in your network, they've gained the administrator passwords, and they'll lock the network down, and then they'll send you a cheeky wee message to say, hey, please pay us in Bitcoin, often it's in Bitcoin, and then we can, unlock your data for you. 

That’s as much as the reassurance that they give you that that will happen. Our experience is that your data is still leaked. Your data is still out there, and essentially, you're paying them for peace of mind that that doesn't exist, and it's not guaranteed. Our strong advice is never to pay a ransom.

Never, never, never to pay a ransom. Not only does it, encourage more of the activity to happen to other people, but the data is already gone. And so, because the data's already gone, you need to start looking at other controls and things like that. And then the impact on that, so then you'd, you'd go to the, you know, the OPC, you'd report to the NCSC, you'd go into your recovery plan.

And then that data leak will cause more data, or potential more attacks against other networks, across the country. It can start a rampant sort of cycle and that's how it links back into each other. And then it can take various different forms, and they use various different techniques. 

We use, at NCSC, the MITRE ATT&C framework. I won't go into too much detail on that here, but can, yeah, really start, getting quite nasty with these. And we see this every, you know, every week, more often than not, there's going to be a data breach, or someone's had a ransomware attack, or something like that. It's almost every day, and sometimes every day of the week, depending on the week.

[Audio: Host/John] And so, Tom, may I just pick up on a couple of points there. So, I talked about, obviously, there's a whole bunch of different ways, you know, this can happen, phishing being one of them. I don't know if you want to talk more about exactly what spare phishing is, because people might not be as familiar with spear phishing?

[Audio: Speaker/Tom] Yeah, good call out. So, spare phishing is when someone's got enough information about you to make that, a phishing email really realistic. So, think, I know we've got a lot of professionals on the call, and who probably have LinkedIn. LinkedIn is, a notorious way to get information about people.

Sometimes, you know, if you're a chief executive or someone in an organisation with a lot of influence or something like that, that's targeted phishing attacks. And so that requires a wee bit more reconnaissance typically, yeah.

[Audio: Host/John] Perfect then, thank you, that makes a lot of sense there. And so you can see from that how it can be cyclical, right? Because, you know, that data's out there. Once it's out there, people can then use that to, target people, but more make that email seem more legitimate, right? Because they have more information on those people, so that's, I think that illustrates it really nicely. Thanks there, Tom.

[Audio: Speaker/Tom] Yeah, and I suppose it doesn't necessarily just have to be email as well, I'll highlight. If you've got a Wi-Fi network, say you've got a guest Wi-Fi network and that's not locked down properly, that's another way that you could easily get, a data breach, or the likes of, people bringing their own devices into work and things like that, if you don't have the right policies in place.

[Slide change]

And this is what it tangibly looks like. This is what the dark web looks like, for those that haven't been there. I don't go on it too much, but that's what it looks like. So someone's sort of done a bit of a Facebook like post. Hey folks, we've recently required information on about 2.5 million New Zealand citizens. This is a fairly recent example.

And they basically say, hey, look, who wants to buy it? They're not gonna pay the ransom. Who wants to buy it? And I would reinforce that even if you paid the ransom, these, these aren't exactly, you know, people, with astounding integrity, so they're going to make as much money as they can. And then, again, there's some smaller ones in there that, from overseas examples, but the one on the left, isn’t and they'll just do a post, and then you can see, yeah, all the information. I think in this case, the victim organisation certainly they came to NCSE, and I believe they went to the OPC as well. So they did everything, right. Interestingly, on this one, the impact for this organisation was, the communications, and as we see in a lot of incidents, the communications to your customers, can be the hardest bit.

And in terms of what the actual files look like, everyone's seen an Excel spreadsheet, or that's essentially what the data looks like, is an Excel spreadsheet. And it can come in a different form, so that's the basics of it.

[Audio: Host/John] And just picking up on your point there, Tom, around the challenges of talking to customers once there has been a data breach, I'll just make a plug for, some of the resources on our website. So we do have a communications framework that folks can look at. So, if you experience an incident, there's a framework there around, what you should think about, how you should talk to people around the incident.

Because, essentially, how you talk about it could make it better or worse, sort of thing. So we do have that resource on your online, so do have a, do have a look around, and we'll be on there on the resources page. But yeah, sorry, over to you, Tom.

[Audio: Speaker/Tom] It certainly makes or breaks, because basically, when you've had a data breach, you're into consequence management, the information has been is gone, you're into consequence management. So, you know, there's things that you can do prior to the cycle, so if you think about that cycle, if you, limit, spear phishing emails, or use techniques to limit spear phishing emails, you're breaking the cycle before it starts. I'll hand over to, Susan from the OPC.

[Slide change]

[Audio: Speaker/Susan] Alright, I couldn't find the mute button. Great. Welcome, everyone. I'm Susan from the Office of the Privacy Commissioner. I am talking about very similar things, actually, from Tom, only on a slightly different perspective. So, I'll be covering a bit about our office, what we do, understanding what a notifiable privacy breach is, what to do when you have one, how to work with the Office of the Privacy Commission, and how we'll support you.

I will also talk about some insights on breaches that we see reported to us in their root cause and also some pointers to think about within your business about safe personal management of information. And I'll also be covering off the communications element, so how do you tell affected people about a privacy breach? So, there are some specific requirements you need to do. So you can join up the advice from Tom about how to do that, and what's on the NCSE website alongside the privacy requirements and making sure that you're meeting all of your obligations at the same time. So, just moving to the next slide. 

[Slide change]

Here we go. So, if you remember nothing else from this presentation, two things. You have privacy obligations under the Privacy Act. You will all hold personal information of some kind about yourself, your customers, and that's got a lag. 

[Slide change]

Sorry, let's go back. Nope. About your customers and about your, staff. So, all that counts as personal information. The other key thing to remember is that there is a lot of guidance on the Office of the Privacy Commissioner's website. We are here to help. We have a whole team, as you can see from the slide in front of you, that deliver capability and guidance. There's a lot of information about how to do privacy well.

And how do you even have a privacy? We have a privacy statement generator, so if you don't have a privacy policy on your externally facing website, or for your staff, go to our website. You can use our, Privacy-O-Matic, I think it's called and generate a privacy policy that helps understand your privacy obligations under the Act.

So, a bit more about the office. So, we issue we investigate privacy complaints from the public. We also respond to breach notifications that come through, from organisations such as yourself, education and guidance, and also provide, privacy specialist comments on government policy initiatives as they come through.

Next slide, hopefully. There is a bit of a lag, so apologies for that.
Nope. Next one. It's not moving.

[Slide change]

Thank you, it's moving, magic. So, privacy breach. So, what is a privacy breach? It's an unauthorised or accidental access or disclosure of personal information. And so, personal information is specifically defined as information about an identifiable individual. So, it can be your name, but it doesn't have to be your name. It could be other information that helps identify who you are and it can include where you have information that is lost to you, so either it's on a USB stick that you've lost, or it's a ransomware attack and you don't have access to that information anymore. So when you have a privacy breach, one of the things the first thing to do is to figure out whether it's a notifiable privacy breach or not, and that means whether you are required to notify us or not.

The criteria that you use to assess that is whether or not it's likely to cause serious harm, or whether it has caused serious harm. And serious harm is also defined in our legislation, so all of these things are very specific, and they're set out in our legislation, and there's a lot of guidance on our website that puts that in plain English.

In terms of serious harm, that takes into account the sensitivity of the information. So, was it HR information, for example, payroll information, health information or financial information are inherently sensitive.

We also consider the type of harm that's likely to occur, so it could be financial harm, identity theft, and we look at who has the information. So, if it's an accident and you've emailed it to the wrong place, the person who received it has deleted it, confirm the deletion, that's not likely to cause serious harm. If you've if somebody's got it, and then you think that they might use it for malicious intent, that automatically ups the ante. It's more likely to be serious harm. At that point, you need to consider notifying us as soon as possible, and you also need to consider notifying affected people, so people whose information was in the data the data cluster that got, accessed or misused was subject to the privacy breach. And there are some specific requirements to that notification that I'll talk about shortly.

One thing to be really clear of, and we hold this very dear to us, is that we have obligations of secrecy under our Privacy Act, so anything you tell us, we are required to maintain secrecy of that information. So we don't make any public comment as a general rule, there are some exceptions to that, but if we do find ourselves in a situation where we're making a public comment, we will talk with you about that first. We don't answer media questions with any details about your organisation or about the incident that has happened, so anything you tell us is secret.

Move to the next slide, hopefully.

[Slide change]

[Audio: Host/John] Just jump in there, Susan, just real quick. We've got a question that kind of ties into that slide. I think you've kind of touched on it. But this question here is just, kia Susan, we encourage people to report to you when we know there's been an incident, but the form implies you only report if there's been harm, so I suspect they don't continue.

Can you confirm they should report anyway if there has been a breach? I think you sort of touched on that around serious harm, is that right?

[Audio: Speaker/Susan] Yes, so there's a couple of really good reasons to report to us. So, if you need advice and guidance, let us know. And so, reporting to us is a good way to give us enough information to be able to help you. So, if you're needing advice and guidance, report it. The threshold within the legislation is that it is likely to cause, or has caused, serious harm, and that likely to cause, can be a bit tricky, it could be likely to cause immediately, or it could be likely to cause in a year's time. And so, if in doubt, notify, but you don't need to notify if something's bad has happened, and you don't have any personal information that you've identified as affected, so those are your first steps. What personal information was affected.

At that point, you could consider whether you need advice or guidance, or whether it is likely to cause serious harm. If in doubt, notify, and then we'll be able to give you some guidance, but the key thing is first make sure that personal information is affected.

[Slide change]

I'll move through this slide. So, when a breach happens, and I say when a breach happens, because they do, you can have the best security systems, the best training for your staff, but bad things happen. So we work on the assumption that it does, and your best defence is to be well prepared and have a breach management plan in place.

The three elements of our breach management plan, contain, assess, and notify. So the first point, contain, is all around reducing the impact to the affected individual, and also to your organisation. When it comes to assembling an incident response team, what we see a lot of is that the immediate response is to the security breach or the IT issue.

Each organisation should have, under the Act, is required to have a privacy officer, and it's really critical that that privacy officer is in the room when the response team gets together. So that privacy officer's job is to just focus on the personal information, and that leaves the IT specialists free to sort the IT issue, and the privacy officer can manage the notifications to our office, and the notifications to the affected individual.

So containing the breach means essentially trying to get it back. So, you've lost control of it in some form or other, get it back if you can. If it's lost, try and find it. If it's been sent to the wrong place, as I said before, contact the person who it was sent to, and that could be as simple as an email error has gone to the wrong email address.

Contact that person, ask them to delete it, and ask them to confirm it's deleted. If it's a lost laptop, you can wipe the device remotely, or make sure or change a password on the account so the information isn't accessible.

At the extreme end, you can also apply to the courts for an injunction, which enables the information, if you can't contain it, you area you are preventing its use, so it becomes illegal to use that information. And of course, a hacker is not going to pay any attention to that, but it does mean that you're taking the best possible steps you can to try and contain the breach that's happened. And teams of a..

[Audio: Host/John] So I might just jump in, there’s another question that was just, ties into what you're talking about, assembling your response team. So this question here is, can anyone notify a potential breach, or does it need to be your organisation's privacy officer?

[Audio: Speaker/Susan] Anybody can. Normally it is the privacy officer, but anybody can.

[Audio: Host/John] Okay. We'll happily talk to anybody.

[Audio: Speaker/Susan] Cool, thank you.

[Audio: Host/John] I'll let you keep going.

[Audio: Speaker/Susan] In terms of the assessment, so, this is the part where you work out whether it's likely to cause serious harm or not, or whether it has caused serious harm already. So, you look at the containment, whether it was successful, and the sensitivity of the information. So, and this is very, context specific. So, for example, name and address information is not inherently sensitive, but if it's the name and address information of somebody under protection order, then it becomes immediately sensitive information, so you need to consider the context. The malicious element that I spoke about before.

And it's really important, and we will want to see you document your decision making. So, if, for example, you assess a breach as not being notifiable, and then somebody is harmed and makes a complaint to us, we will then come back to you and go, well, how was your decision making? What factors did you take into account? And making sure that you've met all your regulatory obligations.

The notifying part, so this is notifying, affected individuals primarily, so it is really important to be transparent with affected people, and be prompt as much as possible, so that you're reducing the harm to them.

Now, you won't know everything necessarily right up front. Sometimes it can take a while to work through and investigate what actually happened, what information is involved, so it's okay to do that incrementally, that notification, both to us and to your customers. When you do notify your customers, the Privacy Act has very specific requirements in there about what you tell them.

And you need to tell them things like what happened, what you've done to contain the information, what you've done to prevent it happening again, any steps that they can take to prevent themselves from further harm. So, if it was an account breach, for example, you might require them or recommend that they change their passwords on key accounts.

And you also need to tell them that you've notified us, and that they have a right under our legislation to make a complaint to us as well. So those are the things that we will be working with you to make sure that you understand those specific notification requirements that are in the Act, and how to meet them.

Next slide.

[Slide change]

[Audio: Host/John] That might just be, as the slides are transitioning, a good time to ask this next question. You're getting them all, Susan, today.

[Audio: Speaker/Susan] Okay.

[Audio: Host/John] So what is the normal turnaround time for when a request is raised to having someone get in touch to provide assistance there?

[Audio: Speaker/Susan] So, we, that's a really great question. So, we… it goes into, the Notify Us tool, which is on the spreadsheet on the slide at the moment. In terms of time around turnaround time, we triage them, so the most urgent ones first.

And we look at urgence in terms of the immediacy of harm. We also look at the… what we assess the privacy understanding of the agencies, and whether, you know, you're a big bank and you've got your whole privacy team and legal team and privacy officer onto it, or if you're a small tradie firm and you're asking some questions that signal, we can step in and help you do it really soon. So, we will always get back to you. We have a turnaround time length of time within 3 days. For more urgent ones, it's much sooner than that.

Sometimes even the same day, if we're particularly if there are some flags in there that we're particularly concerned about.

[Audio: Host/John] Okay, perfect, cool. I'll there's a couple other questions there, but I'll leave those at the end of your section and let you keep going through.

[Audio: Speaker/Susan] Okay, great. So, how to notify. So, on our website, privacy.org.nz, there is a tool called Notify Us.

And you have three different channels to notify us within this tool. The first one, do I need to notify? It's actually a self-assessment tool. So it will collect some preliminary information about what happened, and about the information that was affected and it will… the algorithm will come out with an end result about whether or not, based on the information you have put in, the system thinks the breach is notifiable.

That's a really good test, but it is not a definitive answer, so if it comes back and says it's not, and you're thinking I do want to tell OPC anyway, just tell us. This test is a guide, and we will complete an assessment of everything that comes in. So yeah, don't take that as gospel.

If you want to report a breach, use the Report a Breach button. That will collect more information about what happened than the self-assessment tool, and that submits an automatic notification through to us, and then we'll be in touch with you. You can also, if you've previously reported a breach, when you report it to us, we'll give you a reference number. You can come back and update the breach at any time using that reference number, using the third button, Update a Breach.

The information on the right of the slide is the type of information that we'll ask you when you get in touch with us. And then we'll ask you also a bit about what happened, what security or privacy safeguards you had in place, how effective were they, and give you some advice and guidance on how to strengthen those. Next slide.

[Slide change]

So this next, conversation is around, the types of breaches that gets reported to us. So this… the graphic on the left is, we classify things generally by sector. We didn't have any numbers for small businesses,

But I can tell you that there are a lot. They're reported by small businesses. And the thing with those that we find is that they are really high impact on the affected individuals, so it's not like a big Qantas breach where you have a million people's data affected.

It's one person or one family. In one example, a building company had a phishing attack, and they, the hacker got into the system and sent out an email telling the clients, hey, I've changed the company's changed its bank account, please pay your invoices into this new bank account. And as a result of that, one family lost $200,000. So they paid money into the wrong bank account, and they didn't get it back. And so the impact of these types of breaches, I think, is much greater for small businesses, and it really impacts people's livelihood, their wellbeing, their stress.

And so, when you're thinking about a phishing attack, they can get into your systems and impact your business, but they can also have a huge impact on your customers, and once that trust is gone, it's really hard to get back. And people don't recover from losing $200,000 in a scam. They just don't.

The type of breaches that happen, the most common one is unauthorised access and unauthorised sharing, and that can be anything from cyber hacks, ransomware, sending an email to the wrong place. It also includes employee browsing. So, for example, if you're a GP practice, you've got very sensitive health information, or you're an accounting firm, you've got sensitive financial information. Not everybody in your company needs to have access to all the information.

And if you've got somebody who's looking up, for example, a client's financial report, and that person is not working with that client, they don't need to have that information. And so people can look up information that's about somebody else, they don't have a lawful purpose to look it up. Often, it's for nosiness, sometimes it's to cause harm to that individual, both of which are privacy breaches you need to assess and consider whether they're notifiable or not. Next slide.

[Slide change]

[Audio: Host/John] I was just, in terms of those numbers there, I think we had the dates across the bottom, but, perhaps it wasn't legible, but so what is the timeframe for those numbers? Someone has asked that?

[Audio: Speaker/Susan] Right, so those are the numbers at the end of so for the full financial year 2024-2025, so year ending 1st of June this year.

[Audio: Host/John] Perfect.

[Audio: Speaker/Susan] And year on year, our numbers are going up. We get about a thousand breaches reported to us each year. Out of those, a good two-thirds of them are serious harm.

[Audio: Host/John] Thank you.

[Audio: Speaker/Susan] So, to round up, these are some things that I would love for you to go away and think about what kind of understanding the personal information that you hold is key to protecting it. So, understanding what you're collecting, why you're collecting it, how long you're holding it for. If you don't need it anymore, so your retention period has passed, say you're holding it for AML obligations, that retention period has passed, delete it. You've got anything that you hold that you don't need is a greater risk for your organisation.

Each organisation has to have a privacy officer, so and it's really important that all your staff know who that is, so that they can go to them for advice and guidance. And just making sure that you've got the right steps in place to keep information secure and having a breach management plan that I mentioned before.

We've got some guidance on our website called Poupou Matatapu, which is doing privacy well, that talks about how, what do you what does good privacy look like in every element, from the governance of it, from the conversations that the CEOs are having, through to the role of the privacy officer, how to manage a breach, how to notify a breach, everything you need to know about privacy. So that's your go-to for privacy.

That is me. I'm really happy to take any further questions at the appropriate time. Thanks.

[Slide change]

[Audio: Host/John] Thanks, Susan. Yeah, there's a couple of other questions in here for you. Obviously, proving very popular, so, we'll just dive into some of these, and if we can't get to some of those, we might just keep them to the very end.

So there's one here just, asking to clarify what was the document on the privacy.org website that you used to create a privacy document for your business? Was that a privacy policy generator? Is that right?

[Audio: Speaker/Susan] Yeah, I think it's called Privomatic, which is pretty catchy. If you just Google Privacy Statement Generator, on our website, search, you'll find it there. I think it will be under our resources tab.

[Audio: Host/John] Okay, cool, thank you. Sounds like there's a lot of useful tools between that and the self-assessment tool there for folks, so that's really cool.

Another question here is, if an organisation, e.g. a school, puts personal information into a free AI tool, so non-data protected AI tool, does that count as a privacy breach, or is that a bit hard to sort of comment on, unless we get a bit more specific details there?

[Audio: Speaker/Susan] I do need a few more specific details, but I would, be really mindful about putting personal information into AI. So, AI is, the internet, right? So you've got… you lose control at that point.

There will be safe AI out there. I would think you'd need to look at the terms and conditions of the AI tool, about what it's doing with the information.

There are… and thinking about what you're actually wanting to achieve out of putting it in the AI, and is there another way? I would think very carefully about doing that.

[Audio: Host/John] Okay, perfect, thank you. This next question here is, health-related. So, what level of health information rates for serious harm or notification? Do you have any advice when data falls under the HIPC? So imagine that's a health information privacy code? There is, yeah.

[Audio: Speaker/Susan] Yeah, so health information of any kind is inherently sensitive. And a good way to think about it is, if it was health information about you, would you want other people knowing about that?

We do treat those as generally serious harm, because it goes to people's sense of well-being, it goes to their emotional harm, and if it's health information in the wrong hands, it could be, like, somebody accidentally gets outed as having a disease that they didn't want people to know about, for example. So that is really personal, sensitive information.

The Health Information Privacy Code sits underneath the Privacy Act, so it's just it's still got the same information privacy principles. It's just a bit more prescriptive in certain elements that give a bit more, protection for health information on the recognition that it is particularly sensitive. So the two the two go together, and I think if you've got particular questions around specific health scenarios, speak to your privacy officer or give us a call.

[Audio: Host/John] Perfect. And we'll ask you one more before, handing it back to Tom, who'll get to the rest, hopefully at the end there. Does OPC have an opinion about impacted parties asking for a copy of the notification form filled out by the agency when notifying the breach?

Could the organisation withhold it under the Privacy Act? I note your comments that OPC promises secrecy. Do you have any thoughts on that one?

[Audio: Speaker/Susan] Yeah, that is a really good question. We get asked that a bit. So, we will not release any information that you gave us, so we won't give if that person asks us for information about the notifiable breach and what you submitted, we will point them back to you.

I think the rest of it is your decision as an organisation about whether you want to, how much information you want to give to the affected person. Generally, I would say if they are affected by the breach, it's part of being open and transparent with them about what happens.

But if that is we don't have any requirements about whether you do or don't keep that information safe. The secrecy requirements apply to information that we hold, or we know, or we are given. The rest of it is within your control. I would say that, part of being open and transparent is and there's a notification requirement under the Act that's telling the affected people what actually happened, and a lot of that information is information that you give us in the notification. So, unless there's something particularly commercially sensitive in there, then obviously that's your decision to withhold or release for that ground. But otherwise, it's up to you.

[Audio: Host/John] Okay, awesome. Thank you, Suan. We'll, just park those questions for now and hand back over to Tom. I think he's got just a few more slides to, bring us through, and then we'll get back to some of the questions, once Tom's done. Over to you, Tom.

[Slide change]

[Audio: Speaker/Tom] Awesome, thank you. So we'll go into, how to protect your business from data from a data breach, and sort of the actionable things that you can do now, to prevent the harm, specifically, from, from sort of the cyber angle of data breach.

[Slide change]

So, it starts with the data that you're collecting. If you're a business, I'd really invite you to collect the minimum amount of information for you to be able to do your business, and not a piece of information more. And then and how you store it needs to be secure, and then the levels of encryption and things like that. It's really about making sure that you're being responsible to the people, your customers, and what we've seen, certainly, is that, organisations that don't actually collect a huge amount of information, they're more respected, and people have a bit more trust in them.

If you if you collect, lease information, you're not going to have, as bad of a day as that you could have had, should you, say, collecting, passport information, when there's actually no need.

There's also the storage of information, say you need to do verifications on people, and you might need, say, an ID document for that for that short period of time, just delete it afterwards. Don't retain your data for longer than you need. Certainly, there's data debt out there, where there's just and people will have this on certainly, I've got this on my own, my own, sort of, drives, where you just keep downloaded documents, or you just keep a lot of stuff you don't have a clean out. If you don't need the information, get rid of it.

And then, you know, there's the technical stuff there as well, so just making sure that it's encrypted. A lot of the services that people use already are secure by design, and certainly that's what we're, promoting from the NCSC. You don't expect to pay extra for seatbelts when you get in your car, so you shouldn't be paying extra for security, for your data and IT services. So, make sure that, you know, you are, considering services that are secure by design.

[Slide change]

Managing staff access, often people just get added to a SharePoint group it's like, oh, they're in the business, they have a need to know. Certainly, that's a pretty, bad way to operate, quite frankly you don't, need to be giving your staff all access. It's better for staff to request access than it is for them to have it automatically. And then also it helps your IT team, manage who's actually getting through where, so it's adding that sort of a bit more of a technical layer of protection.

And certainly, I mean, it's the way that the OPC operates, the way that the NCSC operates, you know, where people need to have a need to know, and if people don't need to know, then they don't need to know, and I would invite, organisations to do the same thing in their businesses.

[Audio: Host/John] Cool, just a question here that was relevant just to the previous slide there, Tom. We've seen a data collections slide. Is the advice to retain minimal and then delete relevant for the public sector too, given, R&D requirements under the, Archives Act. So I imagine that where you talk about if you don't need it, that means need it under legislation as well, as need it for work, right? So there's obviously requirements around financial records and obviously, the Archives Act, is that what we're getting at there?

[Audio: Speaker/Tom] Yeah, absolutely. So, I mean, Susan can speak to this a wee bit more, but certainly we've got the privacy obligations under the Privacy Act and the need to keep information for set periods of time. So there will be the need for that, more so meaning if you're a business and you don't have those obligations, it's better to just get rid of the information that you don't need to do your core business, if you don't actually need it, while adhering, obviously, to the relevant. 

[Slide change]

The next one is, create an incident response plan. We've got a fantastic tool on your online, I really mean it, it's fantastic. It was built by, like, subject matter expertise, best knowledge, and then applied to a business lens, and so as you've got the, privacy, plan on the OPC website, on, on Own Your Online, there's the incident response plan, and you can go through and create a checklist of what you need to do.

And certainly that helps call heads when you're operating in crisis, and you've found a data breach, it can be the worst day in someone's career. Just having a plan will just cool the fire a wee bit. And certainly, if you've got a report to your board and you've got an incident response plan, or you've got to report to whoever you need to, just saying that you've got an incident response plan and that you're following your incident response plan can often lead to less reputational harm, because you're doing something that you've already thought about.

And, if you have had a data breach, and these two tips are, certainly, situation specific. Sometimes you wouldn't want to do, say, disconnect, the compromised system, but more often than not, you need to isolate that system. Reason being is, that you would want to isolate that system is, if you haven't been ransomwared, if you've seen the data going out, and you haven't been ransomwared, that can be an indicator that you've actually gotten in there before the actor, or before the cybercriminal has managed to encrypt your entire network. So you'd be preventing, but certainly don't turn it off, do need to make sure that you've got the evidence to know what have happened. And then certainly reset passwords for any compromised accounts. Even if you have an inkling that they could be compromised, it's easier just to reset them.

If it's on your personal device, and your personal information, and so your own phone, or your own bank, and all that sort of thing, resetting passwords if you think you've been involved in a data breach is a must. And then, on top of that, get multi-factor authentication or two-factor authentication, whether that's text code or, one of the ones that you've got on your app, on an app.

[Slide change]

So if you remember a couple things, data breaches are easier to avoid than they are to facts. Once you're into fixing a data breach, you're into consequence management. It's really awful, so make sure that you've got the right security controls in place, whether that's in your personal life, so, you know, making sure that you've got multi-factor authentication and strong passwords.

Through to staff education, if you're running a business, make sure your staff are educated. These things happen, and they, they happen more regularly, than people think, the effects can go on for years, and certainly maybe if it's yourself that's contained in, say, you're going back to trading, or you're going back to normal. For a lot of other people, as I showed in that cycle, that can have long legs.

Your business does have legal obligations under the Privacy Act, and certainly reporting to the OPC, certainly we recommend that. It's just report to the OPC. They're fantastic and, really helpful as it helps to navigating, and certainly, has further tips around that more legal sort of side about how to navigate that system.

Always be conscious about what your business collects, as I've touched on before. And if you have a data breach, report it and get assistance.

[Slide change]

Certainly when it comes to reporting to the NCSC, if you've got a data breach, and you're just not sure what to do, please, give us a call, or give us a report, or something like that. Even, what we find, certainly with, information security managers, sometimes it's just that we give the, hey, you're actually doing the right thing. It's the worst day of their career, they think everything's falling down, but certainly, we just talk it out with you, and say actually everything's okay. Equally, we've got, unique capabilities and unique tools, that can, we can apply to tough situations to hopefully, help mitigate any damage, caused by it. 

But with that, and certainly, sorry, last slide from Susan, apologies.

[Slide change]

[Audio: Speaker/Susan] These are your key takeaways. So, if you remember nothing else, Privacy Officer, check out our website. That's it.

[Audio: Speaker/Tom] Awesome. Over to you, John.

[Slide change]

[Audio: Host/John] Cool, thank you, Susan and Tom. That was really good, really useful. We've got a few questions here, so do feel free to keep firing through the questions, and we'll get to those in a second, but just, noting this last slide here, Cyber Smart Week is coming up 6th of October, week of 6th of October, so, do feel free to sign up if you, want some resources there to help you talk about online security within your business or to your customers. They're absolutely free
a range of resources there, so you can pick and choose from. It's a great, pack of stuff there for you to use.

Alright, so we might now jump into some questions for our speakers. So the first one here, we'll put to Tom. So, apart from what Norton LifeLock offers, is there anything like that from CERT or police etc. that they offer, like, getting your getting you back to normal type stuff. So imagine that Norton LifeLock, as I understand, it helps, keep an eye on if your information is, included in a breach. Or your financial information's, being used to commit identity for, to sort of that sort of thing. What other, resources are out there for people to use?

[Audio: Speaker/Tom] Yeah, so there's a range of different services, and I can't comment on which ones you should or shouldn't use, just because I don't want to put, you know, a finger on something that may, you know, not end up being great, but I'd say the principles that you need to look for that it's reputable, certainly if it's reputable and a reputable company. Sometimes, the free ones, if they will use you as the product, if it's free, you're, you're the product, so I'd be, cautious about using, those, free ones. Equally, you can do a lot on, this, website called Have I Been Pwned? P-W-N-E-D, and that, basically, you can type in your, information on there, and it will tell you if you've been subject to, a data breach.

I'll type it in the, the chat after this, but, there's those other products as well, that you can use, but I'll just make sure that they're definitely reputable, and be cautious that the free ones will, potentially be using you as the product.

[Audio: Host/John] Cool, thank you Tom. Next question here for Susan, does the OPC have a position on the inherent sensitivity of basic personal information becoming less sensitive as there are more and more data breaches?

For example, most people would assume that their phone number has already been compromised due to the number of scam texts received daily. Does that make the harm lesser if the data, such as mobile phone number, is already exposed in a breach?

[Audio: Speaker/Susan] Yeah, so we don't have a formal position on it, but a couple of things that I can comment on that I haven't noticed. So, in Australia, they've had some really big data breaches. Optus is a really big one, and then there was another one of something I can't remember that was huge with government information. And one of the things that our equivalent over there found was that it was the same people being impacted over and over again by each of these big breaches. And I guess there's a couple of different approaches. You could say, well, my information's out there, it's too hard, I don't care anymore. But actually, we're not going to say that, because we're privacy, so actually everything is really important. I think it's just a matter of keeping your awareness up, keeping your security settings up, making sure that, you know, you check your bank account periodically, that there's nothing funny going on in there using smart passwords, don't use the same password for everything. There are still things that you can do to protect yourself, so your information might be out there, but you still can take steps to make it harder for the person to use. And things like if your driver's license gets stolen in a hack, for example, like with Latitude Finance, driver licenses were stolen, you can get your driver license replaced. Same for a passport, so keeping your core identity documents protected, if it does get stolen, cancel it, get a new one. So the hackers use the full data the numbers of the and version numbers and things like that for those documents. You change your version number, harm becomes less.
Doesn't remove it, but it becomes less, so there are certainly some things that you can do. And I would say just, you know, always keep on top of it, because it is a slippery slope, and worst-case scenarios are actually pretty bad, so anything that you can do to avoid being in that situation is worth it.

[Audio: Host/John] Cool. Thank you, Susan. This next one we'll put to Tom. Are there any organisations that have to report to the NCSC? What kind of people should report to the NCSC? Do you have anything to say on that one there, Tom?

[Audio: Speaker/Tom] Yeah, absolutely. So, New Zealand, we do, cyber by consent, which is a really good model, so no organisations have to report to, the NCSC. Organisations that can report to the NCSC, it's anyone, and it ranges on the different, sort of, threats, whether someone has experienced, a phishing attack, and we can take that phishing indicator and put it through, into our disruption services and work with, partners or put it into malware-free networks and things like that, right through to large organisations that need digital forensics, help and digital forensics support, with some of our more, unique and specialised capabilities and people.

We, we, we do offer the range, range there, but certainly we, operate, cyber by consent, and, and, yeah, so, I'd invite do report through to the NCSC if you need a hand, or if you just want to let us know to prevent further harm from others.

[Audio: Host/John] Yeah, so anyone yeah, so they've got a reporting tool on the website, and anyone, individuals, businesses, large organisations government can report to the NCSC. So, thank you for that one there, Tom. So this next one will go back to, Susan. So we advise tech clients and help with their PIAs. Some of them have concerns around completeness or robustness of their privacy practices. Does OPC's advice and guidance include having guidance discussions with organisations directly or via advisors on an anonymous basis? And what's the best way to go about this?

[Audio: Speaker/Susan] So the first best way to go about that is looking at our website, so Popo Madrasapo on our website is your first port of call. For more specific questions, you can email inquiries. No, inquiries at privacy.org.nz, and so that will give you, a channel into the most appropriate person within the office that can help.

In terms of the advice that we give, we can't give legal advice, so we can't tell you what to do, but we can tell you the kind of things that you need to think about, and the kind of principles that you need to have in mind. And then if you've got more specific, detailed advice, we always recommend getting bespoke legal advice to help you in your own specific situation.

[Audio: Host/John] Perfect. So now, this next one is round cyber insurance, so I don't know if Tom or Susan wants to answer this one, but,

[Audio: Speaker/Susan] Nope.

[Audio: Host/John] What type of insurance, are there any recommendations in terms of what to look for and minimum support? Also, what kind of support would I expect from my IT company?

[Audio: Speaker/Tom] That's a great question, and it's certainly an emerged industry of recent years. So, what you need to do with regard, with cyber insurance is run scenarios against the policy that you're taking out and see what obligations you have against scenarios. So, if you use a data breach, for example, run that data breach scenario against that policy, and see what would that policy actually cover what would happen, or are there going to be gaps in the coverage?

Certainly, cyber insurance often asks for very specific things to happen, which is a good thing, because it means that your cyber security maturity needs to raise to meet what they will pay out on.But, yeah, the strongest piece of advice I can give on that is just make sure that you run scenarios against your policy to see that it would actually cover, or ransomware attacks, or disruption of service, those sort of things. Denal of service, sorry.

[Audio: Host/John] Oh, thank you, Tom. So, this next question here, for Susan is, what's your policy on OIA requests relating to a notifiable breach that has been notified to the OPC?

[Audio: Speaker/Susan] So we, as I was saying before, so we keep everything secret. If we get an OIA request for anything that you have given us more likely than not, we will decline to release that information, due to our secrecy provisions. If you're subject to the OIA, then the normal OIA's rules apply. If you've and we do often see that agencies are required to release under the OIA their communications with us. So, in which case, those agencies often consult with us and just check that there's nothing in there that we would want to maintain secrecy of. But yeah, your normal OIA, legislation applies quite it's separate from the privacy secrecy requirements that we are subject to.

[Audio: Host/John] Cool, thank you. The next question here, with the rapid adoption of AI tools in workplaces, how should organisations balance the productivity benefits against the risks of exposing sensitive or personal information to external AI platforms?

Does the NCSC have guidance or a stance on the safe use of AI for New Zealand organisations? Tom, I don't know if you have any thoughts on that?

[Audio: Speaker/Tom] Yeah, so, with the Department of Internal Affairs, we act as part of the,
GCDO, so Government Chief Digital Officer. And with that, we've released a bunch of guidance about, safe, use of AI platforms and, and guidance on AI platforms. Equally, we've released a lot of, advisories and alerts, regarding, potential, integration of those systems, and we've done that with our partners overseas, where they've worked with, and we've worked with, through them, with the likes of, you know, Gemini and OpenAI and all these other, you know, all these other ones that we can so, you know, that's being secure by design certainly take security first. Certainly make sure that you read the T's and C's before you're implementing any AI across your network. Make sure that you're sandboxing the AI. Icould go into more technical, detail on it, but certainly the advice is on the NCSC website, and it's very good, very good advice, built with the people developing, the AI platforms.

[Audio: Speaker/Susan] Can I add to that? So, just be thinking about what information you're putting into the AI. And so, the example before of, I think it was a school, was wanting to put student information into AI. So, student information is inherently one of those more sensitive information groups.

So, thinking about what you actually need to have in. And so, for example, I know government agencies are starting to use AI to screen and analyse submissions on public legislation that they get. And one of the good steps that those agencies do before they put it into the AI is they remove the identifying personal information that comes as part of those submissions so, that way they're just analysing the information that they want to analyse, nothing else is being captured up by mistake and going into the AI tool. And so, part of that question that I, put to you at the end of my slides was know the information that you're holding, know the information that you're working with. And then you can decide from there, don't treat it as a bulk load. Really think about the different types of information and how you're wanting what you're wanting to get out of the AI tool, and what you're putting in as well is really critical.

I feel like that's a whole other session on AI, actually.

[Audio: Host/John] Yes. Here is the full list. Yeah, it could be a whole webinar on AI. But we've hit the top of the hour, so we might just leave it there. Big thanks to Tom, and even bigger thanks to Susan for joining us today. That was a really useful webinar. We'll leave it there, if folks still have questions, do feel free to reach out to us. We will, send out the slides and a link to the recording. There is a survey that will pop up, so we just ask you fill that in, and maybe just, you know, if you've got any suggestions about what you'd like to hear about next time, include that in the survey. Otherwise, team, thank you very much for joining us, and we will see you next time. Thanks all.

[Audio: Speaker/Susan] Thank you.