The Privacy Commissioner has today issued a compliance notice to the Reserve Bank of New Zealand, triggered by a cyber-attack in December 2020.
This is the first time the Privacy Commissioner has issued a compliance notice since receiving these new powers in the Privacy Act 2020.
Privacy Commissioner John Edwards says, “The cyber-attack was a significant breach of one of the Bank’s security systems and raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5.
Mr Edwards says, “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”
The compliance notice issued today provides a template for the Bank to report on to the Privacy Commissioner, confirming the improvements to their policies and procedures aimed to make the systems more secure.
Reserve Bank Governor Adrian Orr says, “OPC’s findings are consistent with the findings and recommendations in the KPMG review. We accept these findings and take full responsibility for the shortfalls identified in our systems and processes.”
“We have a detailed programme of work underway to address these. This work started shortly after the data breach incident through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua.
I would like to again thank the OPC for their support throughout this incident and the collaborative approach they have taken during their investigation.”
Mr Edwards says, “Our role as a regulator is to deliver better privacy outcomes for all New Zealanders, using the powers at our disposal. Where we identify issues that compromise the security of personal information, we will use our compliance powers to make sure that these risks are addressed. This compliance notice also provides a learning opportunity for the Bank, and for other agencies. We appreciate the maturity and openness the Bank have shown throughout this process, and hope that others, too, can learn from this situation.”
Mr Edwards says that the Privacy Act allows for the publication of compliance notices on a case-by-case basis if the Commissioner believes it is desirable to do so in the public interest.
“Publishing the full details of the compliance notice might compromise some of the ongoing efforts to fully rectify the matters that have been identified. However, I have decided it is necessary to publicly acknowledge the steps being taken by the Bank, to provide assurance to the public that these issues are being addressed.”
- A compliance notice is a written notice from the Privacy Commissioner to a public or private sector agency that the agency is in breach of its statutory obligations under the Privacy Act.
- The Privacy Act’s Principle 5 says agencies that hold personal information have to have reasonable security safeguards in place to protect personal privacy.