Scoop has an Ethical Paywall
Work smarter with a Pro licence Learn More
Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search

 

Reserve Bank gets NZ's first privacy compliance notice

New Zealand’s Privacy Commissioner issued its first compliance notice to the Reserve Bank.

The notice follows an online attack on the bank’s systems in December 2020.

While the notice makes sense, a press release from the Commissioner’s office reads more bureaucratic procedure than a public shaming.

The Reserve Bank breach happened when software which claims to be secure enough to move confidential information between banks was compromised.

Reports suggest other organisations caught up in the same attack paid ransoms to the attackers. We don’t know if the Reserve Bank paid up.

Systematic weakness


The attack breached the Reserve Bank’s security systems. As John Edwards, the Privacy Commissioner says, it "raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”

A review of the Bank’s systems uncovered many areas where it has not complied with the Privacy Act’s Principal 5. This says agencies that hold personal information must have reasonable safeguards in place to protect personal privacy.

Yet, the press release from the Privacy Commissioner quotes Edwards saying: “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”

Advertisement - scroll to continue reading

Are you getting our free newsletter?

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.

In other words, it was sloppy but ended up doing the right thing.

The press release quotes Reserve Bank governor Adrian Orr attempting unconvincing damage limitation.

Yet the whole point of the Act is to pre-empt online attacks. Organisations like the Reserve Bank should have robust protections in place before any private information is put at risk.

While the notice is real enough, this first one is something of a practice run for dealing with future compliance failures.

Reserve Bank gets NZ's first privacy compliance notice was first posted at billbennett.co.nz.

© Scoop Media

 
 
 
Top Scoops Headlines

 
 
 
 
 
 
 
 
 
 
 

Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.