Technology and its endless capabilities mean that now more than ever it is easier for businesses to conduct their operations online in a cost effective manner. While this reliance on technology brings with it remarkable benefits, those who use it for less legitimate means are making sure that they keep pace with the rate of innovation. As hackers continue to outsmart antivirus software, firewalls and employee training, the risk of a data breach has become almost inevitable. A data breach can happen to any organisation and can occur at any time, with impacts ranging from financial losses to reputational damage.

The serious and actual threat posed by a data breach means that organisations need to have proactive measures in place to mitigate risk and protect their sensitive information, whether personal or commercial in nature. Part of this risk mitigation involves having an incident response plan in place in order to respond quickly and effectively. While a data breach may be inevitable, affected organisations have control over their response, which can make a critical difference to the management of reputational and financial fallout.

CERT NZ have recently released their guide on public communications for cyber security incidents. This insight will delve into the key aspects of this framework and explain why having an incident response plan is necessary for any organisation that stores its data online or uses technology to hold information.

What is a data breach?

The Privacy Act 2020 defines a privacy breach as unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of personal information or an action that prevents the agency from accessing the information on either a temporary or permanent basis. It can be caused by a person inside or outside the agency, attributable in whole or in part to any action by the agency, and may be ongoing.

In short, a data breach is an event in which sensitive or confidential data is accessed, stolen, or exposed by an unauthorised party, which could be an employee with access to information that they shouldn’t have, or an outside hacker. This can include personal information such as names, addresses, financial information, as well as commercially sensitive information, such as financial data, trade secrets, and intellectual property.

A data breach can occur through various means, but those incidents that make news headlines tend to occur via hacking, phishing, or malware, whereby the hackers exploit vulnerabilities in a company’s network or software in order to obtain access to protected information and steal data. This information can subsequently be held for ransom, or sold via an illicit means for a hefty price. It is therefore crucial for organisations to act quickly and effectively to minimise damage.

What can the consequences be?

Consequences can be wide ranging, from financial losses to reputational damage. Here are some of the main consequences that can follow if an organisation doesn’t nail its incident response:

• Financial losses: a data breach can have direct financial impacts such as the cost of investigating the breach and notifying affected parties. However, a data breach can also open an organisation up to legal liabilities, such as regulatory penalties and contractual claims if not properly managed.
• Reputational damage: a data breach can seriously impact consumer confidence and trust, particularly if made public. This lesson has been learned in recent times by  Medibank, which suffered a major breach in 2022 that became the largest breach of its kind in Australia and launched a class action lawsuit. The broad media coverage (which was generally negative) created obvious reputational issues for Medibank, including publication of the fact that the data breach was made possible by the theft of internal credentials believed to belong to an individual with privileged system access.
• Regulatory compliance challenges: if an organisation ‘carries on business in New Zealand’ it is subject to New Zealand’s privacy laws, including the Privacy Act 2020. If proper notifications to the regulator (and if required, affected individuals) are not made, an organisation could be on the hook for a NZ$10,000 fine or proceedings brought by an aggrieved individual in the Human Rights Review Tribunal (which has the jurisdiction to award damages in respect of an interference with privacy of up to NZ$350,000).

What can you do to prepare for a data breach?

Preparing for a data breach is an important aspect of any organisation’s risk management and cybersecurity strategy. The following steps can help your organisation plan for the inevitable:

• Develop a data breach response plan. A comprehensive plan will outline the steps your organisation needs to take in the event of a breach. This plan should identify key contacts such as legal advisers, IT support, and members of the organisation’s incident response team, as well as their respective roles and responsibilities. Scenario planning will mean that you’re prepared and ready to respond immediately when an actual privacy breach does occur.
• Conduct a risk assessment. This may include testing your organisation’s IT systems and simulating a breach from the outside. This will alert you to any potential security vulnerabilities and allow you to respond accordingly.
• Implement IT security controls such as firewalls, anti-virus software, encryption of sensitive data, and policies that require employees to have multi-factor authentication enabled. Training employees to recognise social engineering attacks is another important tool to reduce the likelihood of a privacy breach occurring.
• Evaluate your cyber insurance. Ask whether it is needed by your organisation, and if so, whether it is fit for purpose. When answering these questions, consider the types of data that your organisation deals with; the greater the quantity or sensitivity of personal or commercial information, the greater the risk.
• Review your contracts with IT suppliers, including the degree to which they shift liability on to you. Check whether they have an obligation to notify you in the event that they suffer a data breach, and any potential claims you might have against them if anything happens to your organisation’s data while it is in their care.

What should be done in the event of a data breach?

Upon discovering a data breach, it is important not to forget that addressing the technical issue is only part of the response effort. Effective communications are vital to controlling the narrative around how an organisation is perceived during and after the incident. The CERT public communications framework guide is an excellent starting point in this respect. We also set out below some key steps to take when responding to cyber security incidents:

1. When an incident occurs

The first thing you should do if you think a data breach has occurred is to put your incident response plan into action. No matter how bad it seems, taking the below actions will mitigate any potential fallout from the data breach. This involves the following steps:

• Assemble key internal personal at your organisation to form a data breach response team.
• Conduct preliminary checks to identify the scope of the data breach.
• Take actions to promptly contain the breach.
• Review your contractual arrangements with third parties to ascertain whether you have any immediate notification requirements, and any potential liability.
• Determine whether external parties need to be notified and/or engaged. These might include lawyers, public relations experts, IT and security specialists, and in the case of privacy breaches involving criminal activity, the Police.
• Take steps to gather and preserve evidence and compile facts associated with the breach, such as system or activity logs, document all actions taken (and by whom), and the exact time and date of those actions.
• Decide whether to notify the breach to affected individuals, regulators, and/or other relevant third parties in accordance with the notification principles set out below.

If you have cyber insurance, now is also the time to notify your insurer.

2. Notification to others

Under the Privacy Act 2020, if your organisation has a privacy breach that either causes or is likely to cause serious harm to affected individuals, you must notify the Privacy Commissioner and any affected people as soon as you are practically able to. What constitutes serious harm is a judgement call, but factors to take into account include whether the personal information is sensitive in nature, the person or body that has obtained the information as a result of the breach, whether the personal information is protected (e.g. encrypted) and any action taken by the agency to reduce the risk of harm following a breach.

The Privacy Commissioner expects to be notified of breaches no later than 72 hours after your organisation becomes aware of it. Breach notifications can be made via the Commissioner’s website, using their notification form.

The following principles from CERT set out how to manage communications in the event of a data breach:

• Create a balance between clear information that stakeholders need to know, while also keeping specific information confidential to not entice further attacks. State what type of incident has occurred and if it is ongoing.
• State what steps have been taken to mitigate or solve the incident and whether other organisations (such as CERT or the Privacy Commissioner) are involved. This will give credibility to your response.
• Remember that anything you say to stakeholders has a chance to be reported in the media. Consider everything to be public messaging.
• Control the narrative. Media may come to you before you have a chance to prepare. Having a set of pre-prepared statements is better than silence.
• When communicating with the Privacy Commissioner it is important to accept responsibility and avoid downplaying the incident. Trying to avoid accountability will be perceived as not taking the incident seriously.

Throughout the process, it is important to keep lines of communication open. Transparency will be key to rebuilding trust and credibility following a breach. As a regulator, the Privacy Commissioner will want to see evidence of accountability. The degree to which you are cooperative with the Privacy Commissioner will inform their assessment of whether your organisation understands the importance of protecting privacy and personal data.

If it is not possible to notify affected individuals, your organisation must instead give public notice of the privacy breach. It is important to remember that under the Privacy Regulations 2020, public notice must be given in a form in which no affected individuals are identified, and the public notice must be published on an internet site maintained by your organisation (that is publicly accessible for free) and in at least one other medium that you consider is most likely to bring the notice to the attention of the greatest number of individuals.

There are certain exceptions to the requirement to notify affected individuals or give public notice (but not to the requirement to notify the Privacy Commissioner), including where the notification would reveal a trade secret, prejudice the maintenance of the law, or endanger the safety of any person. In addition, you are not required to notify an affected individual (or give public notice of a breach) if the affected individual is under the age of 16 and notification would be contrary to their interests, or after consultation with the individual’s health practitioner, you believe the notification would be likely to prejudice their health.

Any decision to not notify affected individuals (or give public notice) must be clearly documented by the breach response team and it is recommended you seek legal advice before making that decision.

3. After the event

Depending on how long the incident continues, you may need to send updates. If an investigation wraps up, it is important to communicate this to stakeholders so they aren’t left in the dark.

After the event is the best time to go through your systems and processes and evaluate any further potential risks. This involves reviewing and updating your organisation’s privacy policies and security protocols to ensure they are up-to-date and effective. This may involve consulting with privacy experts and talking to stakeholders to see how the message was received and what could be done better next time.

Dentons in New Zealand is experienced in assisting with matters encompassing the full spectrum of privacy law. We have experience in dealing with privacy breaches, including the immediate incident response, and in implementing plans to prepare for the inevitable. Our experts are on hand to assist – contact Hayden Wilson, Campbell Featherstone, or Hayley Miller to find out more. This article was written by Megan Jury, a solicitor in the Wellington litigation team.