“Protecting against data loss and cyber risk needs to be addressed by all organisational functions, not just left to the IT department,” Pollard says.
He advised that risk managers s should consider how to use people, processes and technology together to manage the risk. Pollard noted that in the event that companies have a robust risk management plan in place, there are insurance solutions to help protect them against cyber risk.
He addressed retailers as part of a campaign to address his wider concerns around privacy laws in New Zealand.
Under the current law, if a New Zealand company experiences a data breach (such as a hack or accidental leak of customer data) the company is not obligated to inform the affected consumers.
This means that customers’ personal data, including credit card details, tax information and medical histories, could be being passed around online without their knowledge.
Pollard called for the New Zealand government to update its existing privacy laws to reflect the changing online landscape. He says the government should be careful to avoid raising the bar too high by creating laws that are difficult for smaller Kiwi businesses to comply with, but suggested a “notification period” where businesses would get 14 days to notify customers of a data breach or compromise.
“Getting the right protections in place is vital, not just for consumers but for businesses as well; a legal battle over a breach can be extremely costly to business both in terms of legal costs and brand damage,” Pollard says.
The Register carried out a quick Q&A with Pollard.
These concerns you’ve brought up seem to be mainly related to protecting consumers who may, as you mentioned, have their personal data floating around without being made aware of a breach. Why should retailers be concerned about this?
Retailers should be concerned with this for two main reasons:
1) International law changes are coming, or are already here for several countries, which means it will come to New Zealand eventually. We do not want our retailers to get caught flat-footed when it does, scrambling to meet new standards.
2) When operating internationally, Kiwi retailers must meet local standards and are subject to legal battles and large government fines if they do not. New Zealand retailers need to treat data security seriously, and this starts with meeting international best-practice.
Would you support retailers and other small businesses adopting a voluntary policy for breach notification? Do you know of any retail businesses with such a policy currently in place?
We are not aware of any retail business in NZ with such a policy in place. But by voluntarily taking on a best-practice policy, companies can build a good reputation with consumers, protect themselves from costly international legal battles and fines, and have themselves ready to hit the ground running when the New Zealand law is updated.
What should retailers be thinking about when it comes to privacy law? What are your primary points of concern in that area?
It may not be mandatory right now, but the last place a company wants to be in is having a breach occur and finding out through the media. Retailers need to make sure that they have systems in place to prevent cyber-attacks, they need to be able to monitor for instances of cyber attack so they know when they've been breached, and they need processes in place to manage notification of affected customers, reassuring them that it won't happen again.
Can you recommend any course of action for retailers to address those concerns?
Treat data security as a priority for the whole business. Consult with experts, and put the processes in place to manage the situation in the event of a hack or data-security breach.