The Privacy Commissioner has issued a compliance notice to the Te Pūtea Matua (Reserve Bank of New Zealand) for breaching the Privacy Act.
The notice comes after a cyber attack on the Bank, which occurred in December 2020. The breach was related to a third-party file sharing service provided by Accellion.
According to Privacy Commissioner John Edwards, the attack resulted in a ‘significant breach' of RBNZ's security systems. The Commissioner also pointed to potential weaknesses in the Bank's ability to protect personal information.
KPMG conducted a review of the Bank's systems and found multiple non-compliance areas within the Privacy Act. As a result, the Commissioner says the Bank breached Principle 5 of the Privacy Act, which states that organisations that hold personal information must have reasonable safeguards to protect personal privacy.
As a result, the Privacy Commissioner issued a compliance notice. The notice is a template that the Bank must follow to confirm improvements to its security systems and associated policies and procedures.
Reserve Bank Governor Adrian Orr says the Office of the Privacy Commissioner (OPC) findings are consistent with KPMG's review, and the Bank takes full responsibility.
“We have a detailed programme of work underway to address these. This work started shortly after the data breach incident through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua,” says Orr.
Edwards adds, “We are heartened by the speed and thoroughness of the Bank's response. We were notified as soon as the cyber attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they've dealt with the aftermath of the attack.
The Commissioner can issue compliance notices to any organisation whereby a violation may be in the public interest.
“Publishing the full details of the compliance notice might compromise some of the ongoing efforts to fully rectify the matters that have been identified. However, I have decided it is necessary to publicly acknowledge the steps being taken by the Bank, to provide assurance to the public that these issues are being addressed,” says Edwards.
He adds that the OPC aims to deliver better privacy outcomes for all New Zealanders.
“Where we identify issues that compromise the security of personal information, we will use our compliance powers to make sure that these risks are addressed. This compliance notice also provides a learning opportunity for the Bank, and for other agencies. We appreciate the maturity and openness the Bank have shown throughout this process, and hope that others, too, can learn from this situation.
Orr concludes, “I would like to again thank the OPC for their support throughout this incident and the collaborative approach they have taken during their investigation.