The Privacy Commissioner has today issued a compliance notice to the Reserve Bank of New Zealand, triggered by a cyber-attack in December 2020.
This is the first time the Privacy Commissioner has issued a compliance notice since receiving these new powers in the Privacy Act 2020.
The cyber-attack was a significant breach of one of the Bank’s security systems and raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5.
The Authority is heartened by the speed and thoroughness of the Bank’s response. It was notified as soon as the cyber-attack was identified, and it have been constructive and open throughout the compliance investigation process. It is pleased to see the positive way they’ve dealt with the aftermath of the attack.
The compliance notice issued today provides a template for the Bank to report on to the Privacy Commissioner, confirming the improvements to their policies and procedures aimed to make the systems more secure.
OPC’s findings are consistent with the findings and recommendations in the KPMG review. The Governor of the bank accepts these findings and take full responsibility for the shortfalls identified in our systems and processes.
The governor has a detailed programme of work underway to address these. This work started shortly after the data breach incident through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua.
The same Governor likes to again thank the OPC for their support throughout this incident and the collaborative approach they have taken during their investigation.
The role as a regulator of the Authority is to deliver better privacy outcomes for all New Zealanders, using the powers at their disposal. Where it identifies issues that compromise the security of personal information, it will use the compliance powers to make sure that these risks are addressed. This compliance notice also provides a learning opportunity for the Bank, and for other agencies. It appreciates the maturity and openness the Bank have shown throughout this process, and hope that others, too, can learn from this situation.
The Privacy Act allows for the publication of compliance notices on a case-by-case basis if the Commissioner believes it is desirable to do so in the public interest.
Publishing the full details of the compliance notice might compromise some of the ongoing efforts to fully rectify the matters that have been identified. However, the Authority has decided it is necessary to publicly acknowledge the steps being taken by the Bank, to provide assurance to the public that these issues are being addressed.
Background
- A compliance notice is a written notice from the Privacy Commissioner to a public or private sector agency that the agency is in breach of its statutory obligations under the Privacy Act.
- The Privacy Act’s Principle 5 says agencies that hold personal information have to have reasonable security safeguards in place to protect personal privacy.