Our increased online connectivity, the growing number of networked devices and the enhanced sophistication of cyber attacks mean that threats to information security are only growing.
When it comes to cyber attacks, there is no such thing as a target being too small. In fact, there are a number of reasons why start-ups may be more likely to be targeted.
Start-ups often have new intellectual property and trade secrets that could be valuable to third parties. Even the smallest start-ups often store or handle customer data, including financial information. And often start-ups focus on the more pressing parts of the business, such as sales and operations, which means that cyber security often gets overlooked.
Why should start-ups care about cyber security and data privacy?
The disruption to business operations, financial loss, IP / data theft, reputational damage, legal exposure and loss of shareholder value that can result from a cyber security incident mean that every business should proactively address cyber security. Start-ups are no different.
In addition to being and remaining legally compliant, start-ups that invest upfront in cyber security and data protection can foster a more positive brand image, enhance customer trust and gain a competitive advantage. Investors are also more likely to invest in a start-up where they know that cyber security has been addressed, thereby mitigating the risk of loss of shareholder value.
What are the 3 key areas start-ups need to be aware of in terms of their legal obligations?
Start-ups need to be aware of legal obligations under the Companies Act 1993 and the Privacy Act 2020, and also under the contractual arrangements they have in place with customers, suppliers and other stakeholders, in respect of data privacy and security.
1) Companies Act 1993 - Section 137
When exercising powers or performing duties as a director, each director must exercise the care, diligence, and skill that a reasonable director would exercise in the same circumstances. This duty of care extends to ensuring the security of data asses.
2) Privacy Act 2020
Every business that collects personal information must have reasonable safeguards in place to ensure the information is kept secure against loss, misuse and unauthorised access or disclosure (IPP5). Where the information is given to a third party in connection with the provision of a service to the business that collected the information, the business must do everything reasonably within its power to prevent unauthorised use or unauthorised disclosure of that information.
If a business has a privacy breach that it believes has caused (or is likely to cause) serious harm (a notifiable privacy breach), it needs to notify the Privacy Commissioner and affected individuals as soon as possible (s114 and 115).
A privacy breach means any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information, and includes any action that prevents the agency from accessing the information on either a temporary or permanent basis.
The Privacy Commissioner is able to issue compliance notices to require a business to do(or stop doing) an act to comply with the Privacy Act. Failure to follow a compliance notice by a specified deadline, or to notify the Privacy Commissioner of a notifiable privacy breach (without reasonable excuse), could result in a fine of up to NZ$10,000.
3) Contractual obligations
Customers, suppliers and other stakeholders may require contractual commitments from start-ups relating to their cyber security and data protection processes and systems, and remedies where start-ups fail to meet those commitments.
What are some of practical tips for protecting information
A reactive response to cyber crime is usually ineffective as the damage done maybe irreparable. While computer based crime can be prosecuted in New Zealand under the Crimes Act 1961 and civil claims may be brought against an attacker, it is not always possible to identity the attackers and enforcement of New Zealand law when the offender in overseas (which is often the case in cyber attacks) is difficult.
Therefore, the best approach to protecting a start-up’s information is to take preventative measures.
While there is no “one size fits all solution”, start-ups should put in place physical, technical and organisational measures that are reasonable in the circumstances to mitigate the risks of cyber security incidents. Start-ups should also develop a security incident response plan taking into account the nature of the information that they collect and hold, and the harm that could be caused if such information was lost, stolen, or used or accessed in an unauthorised manner.
What should a start-up do if it suffers a security breach?
Where a start-up suffers a cyber security incident, it should immediately assess the situation and respond appropriately. Where a security incident response plan is in place,the plan should be followed.
The start-up should first take any necessary steps to retrieve and secure stolen information and limit any damage caused. In parallel, the start-up will need to consider who needs to be informed and when,bearing in mind its legal obligations under the Privacy Act 2020 and its contractual arrangements. The start-up may need to bring on professional support in the way of IT experts, lawyers,and PR advisors.
Once the cyber security incident has been adequately addressed, the start-up should undertake a thorough investigation of the cause of the breach and update its policies and procedures as required to ensure the risk of the breach occurring again is mitigated.
Cyber attacks are increasing in frequency, sophistication and impact. The disruption and loss that can result from a cyber security incident mean that start-ups cannot afford to wait to get hacked before doing something about cyber security.
While there is not a “one size fits all” solution to cyber security, a crucial first step for start-ups is understanding the nature of the data they hold and the legal obligations that attach to that data. Once start-ups understand this, they can develop and implement reasonable measures and plans that will help prevent, and mitigate the impact of, any cyber security incident.