.svg)
The Office of the Privacy Commissioner in New Zealand has said businesses must ensure they take reasonable cybersecurity steps to protect personal data, including using multi-factor authentication (MFA).
In a June 7 statement, deputy privacy commissioner Liz MacPherson said her office “wants all agencies, big or small, to introduce two-factor authentication” to protect their users' information.
Two-factor authentication “is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally”, MacPherson said.
“If you are a small business that has a cyber-related privacy breach and don’t have at least two factor-authentication in place expect to be found in breach of the Privacy Act,” the deputy commissioner warned.
New Zealand’s Privacy Act of 2020 requires data holders to protect personal information with reasonable security safeguards and a failure to do so is considered a breach of the act.
Although the act does not specifically mention MFA as a requirement, it has been widely considered that the concept of "reasonable" safeguards requires businesses that hold sensitive data to implement two-factor authentication.
MacPherson said what is reasonable depends on the size of the organisation and the scale and sensitivity of the personal information they hold. Still, she stresses that the lack of MFA may constitute a breach of the law in case of data theft.
The statement follows a survey by the Office of the Privacy Commissioner in May which found that despite understanding privacy issues, small businesses do not have good privacy policies in place.
The pressure to implement MFA has also heated up after CERT NZ, the government authority on cybersecurity, reported record losses of NZ$20m ($12.3m) to cybercrime in March, with phishing, scams and fraud, and unauthorised access being the top three contributors to losses.
Several experts argued losses resulting from phishing and data theft could have been prevented if MFA was in place.
Government communications have been actively promoting MFA across all sectors in New Zealand.
Although data breaches in the airline and healthcare sectors made headlines last October, the banking sector seems to have largely embraced MFA.
According to the websites of New Zealand’s big four banks, each ANZ, ASB, Bank of New Zealand and Westpac, offer two-factor authentication, with some requiring it as standard for payments and others as optional security or requiring its use above a certain threshold.
In addition to New Zealand, several countries have voiced concerns about cybersecurity and fraud risks, putting pressure on businesses where it is not a mandatory requirement to implement MFA as a way to fight these threats.
Three weeks ago, the Australian Prudential Regulation Authority (APRA) issued a statement to the country’s financial sector emphasising that gaps in the implementation of MFA may represent “a material security control weakness”.
The notice came after the regulator found that MFA has been offered on an opt-in basis for customers and exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception.
Regulators in the United States have also issued several statements making it clear that they expect firms to deploy MFA, while recent communications in India and Argentina also suggest increased regulatory interest toward the fraud-fighting tool.
