My colleague, Anchali Anandanayagam, and I facilitated the “Suits on Cybercrime” session at Gather 2016 (the digital, technical and community’s big day out) over the weekend. In our session we discussed how the law wouldn’t really help you if your organisation fell victim to a cyber-attack. Rather, prevention is the key by taking physical, technical and organisational measures to protect against, or be able to respond quickly to, a cyber-attack.

We also discussed how any organisation, no matter how large or small, could be subject to a cyber-attack. Earlier this month, hackers attacked Hunting & Fishing’s website, forcing it to suspend the operation of its website until further notice. Hunting & Fishing has urged its customers who have purchased goods recently to contact their bank and check their transaction history  at the earliest opportunity. It is unclear what, if any, data has been taken by the hackers.

In New Zealand, there is no mandatory data breach notification scheme (which exists in many countries such as the US, and which is coming to Australia) which would require an organisation to notify, say, the relevant Privacy Commissioner that a data breach has occurred. A data breach notification scheme is likely to be considered as part of  New Zealand’s privacy law reform currently underway. The Minister of Justice has indicated that a Bill amending the current Privacy Act 1993 is likely to be introduced to Parliament in 2017.

Whether or not a mandatory data breach notification scheme is introduced into New Zealand, organisations should be proactive by having a cyber-risk management plan in place that addresses to what extent they will notify customers and other stakeholders if a data breach occurs. Organisations should operate on the assumption that they will be cyber-attacked. It's not clear if Hunting & Fishing had such a plan in place but it has done the right thing by posting a notice on its website of the attack as well as, hopefully, advising its customers directly.