Reserve Bank hit with compliance notice from Privacy Commissioner over data breach - NZ Herald
Reserve Bank hit with compliance notice from Privacy Commissioner over data breach
14 Sep, 2021 11:17 PM
2 minutes to read
Reserve Bank Governor Adrian Orr. Photo / Getty Images
Chris Keall
By: Chris Keall
Business writer, NZ Herald
[email protected]
@ChrisKeall
The Reserve Bank has suffered the ignominy of being the first organisation to be hit by a compliance notice under the new Privacy Act, which came into force in December last year.
Privacy Commissioner John Edwards says an independent review carried out by KPMG after a December 2020 cyber attack "revealed multiple areas of non-compliance with Privacy Principle 5."
Principle 5 of the new Privacy Act states that organisations "must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information".
Failure to follow a compliance notice risks a $10,000 fine.
ADVERTISEMENT
Advertise with NZME.
Read More
'Facebook hating' NZ Privacy Commissioner John Edwards lands top UK role after Boris Johnson sign-off
Chris Keall: Two problems with the report on the Reserve Bank data breach
Reserve Bank Governor Adrian Orr said the Privacy Commissioner's findings "are consistent with the findings and recommendations in the KPMG review. We accept these findings and take full responsibility for the shortfalls identified in our systems and processes."
Orr added, "We have a detailed programme of work under way to address these. This work started shortly after the data breach through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua."
In December 2020, a file-sharing service called FTA (File Transfer Application) was breached. It is operated by a US company called Accellion, which the RBNZ used to share files with its customers, who include retail banks and insurance companies.
Make it your business to know
Start your day with the latest business headlines straight to your inbox.
Enter your email address
SIGN UP
By signing up for this newsletter, you agree to NZME’s Terms of Use and Privacy Policy.
The issue of cyber security was raised in a May 2020 (initially confidential) RBNZ report called Digital Services: Consultation for Change, with a foreword by the bank's then-chief information officer Scott Fisher, who quit the bank in June this year, calling it a "personal decision".
The report included the lacerating line that there is, "High operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms" and included a recommendation to upgrade FTA to Accellion's newer Kiteworks.
The KPMG report recommended the Reserve Bank develop more resilient systems and processes. Orr says upgrades are under way.
14 Sep, 2021 11:17 PM
2 minutes to read
Reserve Bank Governor Adrian Orr. Photo / Getty Images
Chris Keall
By: Chris Keall
Business writer, NZ Herald
[email protected]
@ChrisKeall
The Reserve Bank has suffered the ignominy of being the first organisation to be hit by a compliance notice under the new Privacy Act, which came into force in December last year.
Privacy Commissioner John Edwards says an independent review carried out by KPMG after a December 2020 cyber attack "revealed multiple areas of non-compliance with Privacy Principle 5."
Principle 5 of the new Privacy Act states that organisations "must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information".
Failure to follow a compliance notice risks a $10,000 fine.
ADVERTISEMENT
Advertise with NZME.
Read More
'Facebook hating' NZ Privacy Commissioner John Edwards lands top UK role after Boris Johnson sign-off
Chris Keall: Two problems with the report on the Reserve Bank data breach
Reserve Bank Governor Adrian Orr said the Privacy Commissioner's findings "are consistent with the findings and recommendations in the KPMG review. We accept these findings and take full responsibility for the shortfalls identified in our systems and processes."
Orr added, "We have a detailed programme of work under way to address these. This work started shortly after the data breach through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua."
In December 2020, a file-sharing service called FTA (File Transfer Application) was breached. It is operated by a US company called Accellion, which the RBNZ used to share files with its customers, who include retail banks and insurance companies.
Make it your business to know
Start your day with the latest business headlines straight to your inbox.
Enter your email address
SIGN UP
By signing up for this newsletter, you agree to NZME’s Terms of Use and Privacy Policy.
The issue of cyber security was raised in a May 2020 (initially confidential) RBNZ report called Digital Services: Consultation for Change, with a foreword by the bank's then-chief information officer Scott Fisher, who quit the bank in June this year, calling it a "personal decision".
The report included the lacerating line that there is, "High operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms" and included a recommendation to upgrade FTA to Accellion's newer Kiteworks.
The KPMG report recommended the Reserve Bank develop more resilient systems and processes. Orr says upgrades are under way.
