New Zealand’s Privacy Commissioner has for the first time used new powers received from the beefed-up Privacy Act 2020 to slap a compliance notice on the Reserve Bank of New Zealand.
The move relates to a cyberattack in December 2020 where a large amount of information supplied to the RBNZ is believed to have been compromised.
The RBNZ has reportedly refused to disclose whether it paid a ransom or knew about other banks doing so, noting that it “didn’t comment on the topic of ransoms for security reasons”.
Privacy Commissioner John Edwards says the cyberattack raised the possibility of systemic weakness in the RBNZ’s cyber defences for protecting personal information.
As part of the investigation into the breach, the RBNZ hired KPMG to undertake an independent review of its systems and processes.
The review revealed multiple areas of non-compliance with Privacy Principle 5 of the new Privacy Act. That principle requires agencies that hold personal information to have reasonable security safeguards in place to protect personal privacy.
The compliance notice, issued on Wednesday, provides a template for the RBNZ to report to the Privacy Commissioner, confirming the improvements to in its policies and procedures to make them more secure.
RBNZ Governor Adrian Orr says: “We accept these findings and take full responsibility for the shortfalls identified in our systems and processes.”