Privacy Commissioner closes compliance notice for RBNZ cyber attack

Privacy Commissioner closes compliance notice for RBNZ cyber attack


New Zealand’s Privacy Commissioner has closed its first compliance notice, issued to the Reserve Bank of New Zealand (RBNZ) in September 2021.

The notice was issued following the Reserve Bank’s response to a cyber attack in December 2020 and subsequent independent review of the incident by KPMG.

“When an agency has had a significant privacy breach, compliance notices are one of our core tools for providing them with a clear roadmap to improving their privacy practices,” said Privacy Commissioner Michael Webster. “In this case, our compliance notice outlined improvements the Reserve Bank needed to make to ensure the safety and security of the personal information in its care, building on the KMPG report. The RBNZ has made every change recommended and more, and we are closing this compliance notice confident that all identified areas of concern have been addressed.”

One of the Privacy Commissioner’s powers is to issue a compliance notice to organisations that fail to meet the obligations set out in the Privacy Act. The notice contains the various changes the recipient needs to make to comply with the Privacy Act. Refusing to comply with a compliance notice is an offence under the same law.

“The Reserve Bank did everything right in responding to this breach,” Webster said. “They notified us immediately, they worked with us throughout the process, and they have taken on board the improvements we advised through our compliance notice. We’re heartened by their willingness to learn from this situation and the safeguards and continuous improvement processes they have put in place.”

See also  Foresight Insurance 'just built differently' said Kelly McLaughlin, head of insurance

“This is an important milestone and a credit to all the RBNZ staff and stakeholders who’ve worked together to deliver our business services improvement programme which we started shortly after the data breach incident,” said RBNZ governor Adrian Orr. “At Te Pūtea Matua, we remain committed to our ongoing programme of education and training while continuing to improve our systems and processes supporting the protection and storage of information. I would like to again thank the OPC for its support throughout this incident and the collaborative approach they have taken to their investigation and our remedial actions.”