Global law firm MinterEllisonRuddWatts’ Litigation Forecast for 2017 includes some important information on cyber security, or the lack thereof, in New Zealand.
The report says most New Zealand businesses are not yet recognising the legal consequences that occur if poor cyber risk management is the cause of a hack resulting in data theft.
“In this environment, we think Kiwi organisations have a unique opportunity to adopt world-class (perhaps even world leading) cyber risk and crisis management processes, before the legal consequences of a large scale cyber breach bites – and to potentially avoid or minimise those consequences across the board.” the Forecast explains.
Source of the risk
The risks that come with digital storage can be great. Hackers can access thousands of documents and client information remotely, if it’s all in one place.
Digital storage and distribution methods also give attackers the upper hand, holding firms’ hostage with threats of releasing their stolen information to the public with the click of a button.
“Cybercrime brings high returns at low cost and risk to the perpetrators (who are generally based overseas and difficult to trace),” the report says.
Cybercrime is costing the New Zealand economy millions of dollars every year with the Forecast noting that 2015 alone cost more than 856,000 affected businesses $257 million.
The Office of the Privacy Commissioner has confirmed that regulatory enforcements will be stepped up over the next 12-18 months, with hefty penalties under the new privacy legislation regime.
“We are now seeing the range of consequences for organisations that are not prepared,” the report says.
“As well as reputational and financial consequences, there are very real legal consequences starting to take hold in the United Kingdom, Australia and the United States.”
The report explains that possible punishments may include class actions by shareholders against the directors for any breach of duty, by customers against businesses for negligence, breach of contract and breach of data protection - including not taking “reasonable steps” to protect their customers’ personal information.
What can you do?
“Having established, practised and thorough risk and crisis management procedures in place are key.”
The report recommends firms assess their risk and establish IT systems, manage employees through education, develop a crisis management plan should a cyber-attack occur and consider an insurance plan, should all your safeguards fail, to avoid prosecution and fall out.