Your bank, insurer or doctor may know your personal details are being circulated around criminals after a cyber-attack on their system, but choose not to tell you.
It is on this basis the global cybersecurity firm, Symantec, is lobbying the Government to urgently push through changes to the Privacy Act 1993, to make it a legal requirement for agencies to report cyber breaches to the Government and the individuals affected.
Its technology strategist Mark Shaw says the Government needs to follow the lead of European authorities and oblige agencies to report cyber breaches as soon as they become aware of them.
According to Symantec’s annual Internet Security Threat Report, at least 429 million people’s identities were exposed by cyber criminals in 2015, up 23% from 2014.
Shaw says there’s been an 85% increase over this time in the number of companies that have said they’ve suffered a breach but have chosen not to disclose how many of their records have been affected, or the extent of the information exposed, because they weren’t legally required to do so.
“The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend. Transparency is critical to security. By hiding the full impact of an attack, it becomes difficult to assess the risk and improve security to prevent future attacks,” says Symantec’s security response director, Kevin Haley.
Shaw says a number of security organisations are therefore pressuring the Government to update the law. He notes the Government is largely taking its lead from Australian authorities on the matter.
Progress updating the Privacy Act
A review of the Privacy Act 1993 has been on the Government’s radar for the past decade.
Progress was made in 2014 when Cabinet agreed to introduce provisions in the Privacy Act that would make it mandatory for both public and private agencies to report material data breaches to the Privacy Commissioner.
The Justice Minister Amy Adams explains: “The paper outlined that agencies would also have to notify affected individuals in serious cases unless an exception applies. Specific criteria in the new Act would determine the thresholds for notifying breaches.”
So what’s the hold up?
“I’ve been taking time to consider whether there are any other issues in the privacy area that should be included in the reform Bill,” Adams says.
“I expect that a draft exposure Bill will be released later this year so that the public and interested sectors have an opportunity to make submissions on the draft.
“This is a shared problem. Government can’t solve this on its own. Nor can the private sector. Partnerships will be essential to improve our security.”
Pros and cons of notification
The Law Commission, in its Privacy Act Review 2011, supports mandatory notification in a “clearly defined set of situations”.
It says notification can enable those whose information has been compromised to take steps to mitigate the harm by monitoring their bank statements, changing bank account numbers and passwords or cancelling credit cards for example.
It points out data breaches can also result in people being publically humiliated, so giving those affected a heads up can only help.
“Notification can enable law enforcement, researchers, and policy makers to better understand which firms and sectors are best (or worst) at protecting consumer and employee data,” the Commission says.
“In this regard notification assists in understanding the privacy and security environment and aids the development of policy in this area. It also alerts the community to the prevalence of such incidents.”
On the flipside, the Law Commission recognises notification is likely to come at an economic and reputational cost to the agencies affected.
“There might also be insurance consequences: for example, companies might be reluctant to notify for fear of it being perceived as an admission of liability, thereby prejudicing rights to claim from their insurers.”
Furthermore, it says notification can cause people unnecessary stress, as often they won’t be able to do anything about it.
It can also be seen as a punishment to an agency, as it can undermine customer trust and lead to a loss of custom. This can act as an incentive to conceal rather than reveal breaches.
The New Zealand Bankers' Association won't comment on notification specifically.
Its acting chief executive Antony Buick-Constable says, "The industry will address the proposed changes to the Privacy Act 1993 more fully when the review process has been initiated.
"Cyber security is a major priority for banks. Ongoing investment in technology, processes and systems helps ensure our banks and customers are well-protected against potential threats of cyber crime, including data breaches. This long-term view and investment is also a commitment to maintaining a sustainable and successful banking sector in New Zealand."
New Zealand a soft target for cyber attacks
Symantec’s latest report reveals New Zealand is ranked second in the Southern Hemisphere and 21st globally for ransomware attacks – attacks that restrict access to your computer system and demand you pay a ransom for the restriction to be removed.
The average number of ransomware attacks in New Zealand per day increased by 163% from 2014 to 2015, to 108.
Symantec also ranks New Zealand fourth across Asia Pacific and 21st globally for social media scams.
Shaw says we’re a soft target as we’re an affluent nation that’s engaged with the internet.
“Advanced criminal attack groups now mirror the skill sets of nation-state attackers. They have well-resourced and highlight-skilled technical staff that operate during normal business hours – they even take weekends and holidays off,” Haley says.
He notes the effect of a data breach can be extensive. “Large businesses that are targeted for an attack will on average be targeted three more times within the year.”
New Zealand has within in the last few months been at the centre of a serious scam – ‘Slempo’ – targeting banking app users on Android.
Using a fake log-in screen, the malware locks a user's phone until they enter those details and steals them. It also can see text messages that the bank may send to verify a new password and then uses that code to gain access to accounts.
Shaw warns, “If your bank is using SMS as a two-factor authentication mechanism, I’d have a word with them. Frankly, SMS is archaic as a security technology for delivering one-time passwords.”
He acknowledge a number of banks do use SMS as a two-factor authentication mechanism.
All the banks in New Zealand have also been targeted by the ‘Dyre Financial Trojan’, which duplicates the bank pop-up on your internet banking and asks you to fill in your details to progress to the next page.
Buick-Constable says, "If a bank was responsible for a cyber security data breach, the bank would work to resolve the issue.
"Banks may be able to reimburse customers depending on individual circumstances and their terms and conditions. That doesn’t override each customer’s responsibility to protect access to their bank accounts."
The NZ Fire Service and Te Wananga O Aotearoa are two other examples of New Zealand agencies that have been hit by attacks over the past year.
Globally, breaches within the health services sector accounted for 39% of all the attacks in 2015, while attacks on business services accounted for 7% and insurance carriers 6%.