Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection. Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment. New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.

1. Crossing the Streams: How security professionals can leverage
New Zealand's new Privacy Act to build a stronger security culture
PRIVACY
SECURITY
DATA
BREACHES

3. WHOAMI
• Membership Chair at
(ISC)2 Auckland Chapter
• Researching the Security
Quotient risk profiling
model
• Developing LEGO-based
CISO The Board Game
• Creator of the Cyber Self
Defence Framework
using situational crime
prevention strategies
• Starting to dabble in
privacy…

4. DISCLAIMER 1

5. IANAL
DISCLAIMER 2

7. The ‘double intangibility’ of security
Potential consumers are faced with:
1. the intangibility of risk - knowing precisely
how at risk they are and from what sources
2. the intangibility of protection - knowing
whether the good or service on offer can or will
mitigate that risk
WE ARE SELLERS OF THE IDEA
OF BUYING SECURITY…

8. “Underspending on
security, and letting
society pay the
eventual price, is far
more profitable. I
don’t blame the tech
companies... Fixing
this requires
changes in the law,
not changes in the
hearts of the
company’s leaders”
BRUCE SCHNEIER, CRYPTOGRAPHER

9. 01:12:20

10. SECURITY AND PRIVACY
ARE CONVERGING

13. NEW FOR 2020…

15. WHAT’S CHANGING?
1. Mandatory privacy breach notification regime - ASAP
2. Criminal offences – fail to notify OPC/mislead/destroy
3. Compliance notices – do/stop doing
4. Enforceable access directions – release
5. Disclosing information overseas – new IPP12, not providers
6. Extraterritorial effect – Facebook
7. Potential for class actions:
“The updated Act will allow the Human Rights Review
Tribunal to award up to $350,000 to each member of a
class action”

18. “One of the key reforms in the Privacy Bill is a
new requirement for agencies to report privacy
breaches. A privacy breach is any unauthorised
access to or disclosure, loss, or destruction of
personal information. It can also include a
ransomware attack. Privacy breaches that pose
a risk of harm to people must be notified to
affected individuals and to the Privacy
Commissioner”
HON ANDREW LITTLE, 2018

20. “Damages for privacy
and related litigation
cases have been
growing in recent
years – with minor
breaches fetching up
to $20,000, medium tier
cases in the range of
$20,000-$50,000, and
serious breaches over
$50,000… class
actions pose
significant risk to
organisations in
breach of Privacy Act”
RUSSELL MCVEAGH, 2019

21. “complainants may
view money as the
most appropriate way
to redress perceived
breaches of their
privacy… agencies
trying to see what risks
may arise from breach
of the Privacy Act look
to the quantum of
damages awarded by
the HRRT as a guide to
the level of risk”
HRRT QUANTUM OF
DAMAGES?
Damages Awarded by the Human Rights
Review Tribunal under Privacy Act 1993,
s88(1)(c) – damages for emotional harm:
8 years / 21 cases / $320,400

22. “We’re also behind
many other
countries in how we
treat data protection.
We have a shiny new
Privacy Act but
there’s no ability for
the Privacy
Commissioner to
take meaningful
enforcement action
against companies
misusing our data”
JON DUFFY, CONSUMER CEO

23. WHY SHOULD I
CARE?

27. PRIVACY HARMS
“People and organisations are becoming
more aware of the individual and group harms
caused by misuse of data and data breaches”

29. “Once described as
‘the right to be let
alone’, privacy is
now best described
as the ability to
control data we
cannot stop
generating, giving
rise to inferences we
can’t predict”
ANDREW BURT, LAWYER

30. LEARNING
FROM DATA…

31. MANDATORY BREACH
REPORTING ENABLES
PRIVACY DATA SCIENCE

32. Mandatory
breach
notifications
will be
“critical in
making
agencies
more
accountable
for their
handling of
personal
information”
CURRENT STATE: OPC

33. “Over 320,000 adults (7.9%) experienced
420,000 fraud or cybercrime incidents
over last 12 months.”
“Only 10% of fraud or cybercrime
incidents were reported to the Police”
Ministry of Justice’s New Zealand Crime and Victims Survey (NZCVS)
results, Cycle 2 - 2019
CURRENT STATE: NZP

34. LEARNING FROM OTHERS
FTC enforcements

36. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
Motivations to invest:
• Comply with US laws and regulations
• Reduce privacy harms such as identity theft, cybercrime
• Satisfy security requirements when collecting data
• Discharge director obligations
• Demonstrate due diligence
• Prioritise security spending on highest risks

37. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
Top Recommendations:
• Focus on information handling – limit access, encrypt
data at rest, dispose promptly (54%)
• Improve processes – monitor systems and data, patch
systems, train staff (33%)
• Manage consumer expectations – ensure privacy notices
are accurate and consent is explict (13%)

38. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
PHYSEC:
• Protect paper based
files
• Apply least privilege
• Secure offices* and
vehicles
• Validate identity at
entry
• Revalidate access
rights regularly

39. LEARNING FROM OTHERS
OAIC insights
Australian Privacy Amendment
(Notifiable Data Breaches) Act 2017

41. “it was anticipated that
the NDB scheme would
raise confidence
amongst consumers
about the entities that
they are dealing with,
and the increased
transparency would
provide consumers
with more information
to make informed
choices about whether
to transact with
particular entities”

42. OAIC NDB YEAR ONE
• Despite anonymity, “a sustained interest from the media in reporting… entities
that have experienced a data breach have been in the public eye”
• A growing awareness of privacy rights and issues amongst consumers
• Average time between a breach and misuse of credentials is 9.55 days
• Takes 90 days for an organisation to detect the initial data breach and 28.25
days more to notify individuals
TOP TIPS:
1. Understand your data holdings and secure PII
2. Test data breach response plans
3. Review contracts and document accountabilities for investigating breaches,
assessing harm and notifying individuals
4. Draft notifications and plan your comms strategy – don’t notify on a Friday!
5. Support individuals to mitigate the impact of a data breach.

44. OAIC JULY 2020
“We are now regularly seeing ransomware attacks
that export or exfiltrate data from a network before
encrypting the data on the target network, which is
also of concern,” she said.
“It highlights the need for organisations to have a
clear understanding of how and where personal
information is stored on their network, and to
consider additional measures such as network
segmentation, robust access controls and
encryption.”

45. LEARNING FROM OTHERS
Our own backyard…

46. "This should not have
happened," State
Services Commissioner
Peter Hughes said.
"Some things are so
critical that they can
never be allowed to fail.
Security of the Budget
is one of these."

49. He had laid a
complaint with the
Privacy
Commissioner,
changed his email
address, passwords
for online accounts,
and froze his credit
reports to prevent
identity fraud.
"For the rest of my
life, I have to worry
about what they [the
unknown third party]
are going to do with
that information."

50. “30,000 files -
including passports
and driver licences -
were discovered
through a security
flaw on Lambton
Property
Management's
website, with experts
estimating the
information to be
worth $500,000 if it
was to be sold on the
dark web”

51. DO WE ID RISKS / HARM?
“System security measures should respond to the risks as
identified in the privacy impact report… Privacy enhancing
responses will involve security safeguards appropriate to the
sensitivity of the information and the particular data handling
practices.”
“Security levels, costs, measures, practices and procedures
should be appropriate and proportionate to the value of, and
degree of reliance on, the information systems and to the
severity, probability and extent of potential harm, as the
requirements for security vary depending upon the particular
information systems.”

52. WHAT SHOULD
WE DO?

53. APPLY INTERNATIONAL
LESSONS LEARNED AND…
• Review personal information assets and collection
• Create/update your privacy policy and raise
awareness of 01.12.20 with staff. Train them!
• Create/update breach response plan and
notification processes to OPC and individuals
• Define RACI for breach detection and response and
exercise against scenarios to build capability
• Inventory supply chain, review contracts and
security capabilities (including offshore)
• Check privacy statement is reflective of real data
flows/sharing arrangements
• Introduce Privacy by Design thinking - more, better,
earlier PIAs for mature orgs.

66. PbyD/SbyD: ESTABLISH NFRS
Example Non-Functional Requirements developed using the Volere method:
• Only direct managers can see the personnel records of their staff.
• Only holders of a current security clearance can enter the building.
• The product shall prevent incorrect data from being introduced.
• The product shall protect itself from intentional abuse.
• The product shall make its users aware of its information practices before collecting
data from them.
• The product shall notify customers of changes to its information policy.
• The product shall reveal private information only in compliance with the
organization’s information policy.
• The product shall protect private information in accordance with the relevant privacy
laws and the organization’s information policy.

68. QUESTIONS?