News Items

last updated 29/11/2020

How will the Privacy Act changes affect your franchise?

last updated 29/11/2020

25 November 2020 – As email attacks and fraud grow, new data privacy laws require businesses to be aware of their governance and compliance responsibilities

It's been 27 years since privacy laws in New Zealand were last updated, and they have become increasingly inadequate in the digital age. Consumers are very concerned about personal information and privacy, and are worried about businesses’ ability to preserve it.

With that in mind, the Privacy Act 2020 was passed earlier this year. The Act will come into effect on 1 December 2020 and prescribes a range of new obligations relating to how businesses should secure their data and deal with the growing complexity that exists around electronic customer communications.

‘There are clear implications here for franchisors who hold data on behalf of their franchisees – for email newsletter or loyalty programmes, for example – and for franchisees who are collecting customer information,’ says Chris Hogg of digital communication specialists Cumulo9.  

‘And one of the biggest areas for concern is emails. Business emails are being hijacked every day, and fraudulent alterations are costing New Zealand individuals and organisations millions. If your franchise can’t show that it has taken proper steps to safeguard its communications and customer data, you could be in big trouble.’

According to CERT NZ (part of MBIE), cyber attacks circulated by email were one of the most commonly reported incidents in the 3rd Quarter between 1 July and 30 September 2020. This includes 101% increase on business email compromise from Q2, which resulted in $944,000 of direct financial loss. There was a 34% increase in the number of malware attacks from Q2. The majority related to a malware called Emotet, which is spread via email.

Stronger enforcement and compliance

The Privacy Act 2020 will introduce a number of new enforcement and compliance provisions.

First, businesses will need to report serious privacy breaches. For example, if you experience a data breach that poses a risk of harm (eg leaked personal information is used in identity theft or published online), you must notify the people affected. Also, you must notify the Office of the Privacy Commissioner. If a business fails to report a privacy breach, it could face a fine of up to $10,000.

Second, the Privacy Commissioner will have the power to serve businesses with compliance notices and instruct the business to release personal information.

Third, if someone requests personal information held by a business, the business cannot destroy the information in order to avoid providing it.

Another important change is the strengthening of the Privacy Commissioner’s power to carry out investigations into breaches of privacy complaints by having shorter time frames for businesses to respond and provide requested information.

Advice for franchisors and franchisees

It is recommended that franchise businesses review their privacy policy, franchise and employment agreements and data management policies to check that current systems comply with the Act. While franchisors will bear the brunt of the responsibility in many cases, it is worth noting that franchisees are independent businesses and therefore responsible too.

While organisations like Netsafe and the Police are informing the public about email scammers, and CERT NZ is also in the business of informing the public about scams and fraud, many businesses have failed to deploy the security solutions that are now available.

‘Where franchisees maintain their own databases or send out digital communications independent of the franchisor’s systems, they also need to ensure they are compliant,’ says Chris. ‘The problem with email is that the system was developed long before security became a real concern, so it’s an area where businesses are potentially at their most vulnerable. That’s especially true in multi-site organisations such as franchises where lots of people are using related email addresses.’

Some questions to ask about email

  • Do you have a Disclosure Statement on every email? Is it the right one? Can I prove it?
  • Has the right attachment been attached?
  • Does my email system use up-to-date security and authentication measures like TLS, DKIM and DMARC to ensure my email communications get through without being altered by intermediary mail servers or spoofed?
  • Can I prove that the document went out at all?
  • If it did get sent, did it bounce back? If so, why? Do I have an automated default process set-up?
  • What action do you need to take to protect your email services and stay compliant with the Privacy Act?

The need for decisive action

Chris says that one way to address these security issues is to use an external service provider. ‘For example, Cumulo9 has a solution called C9 Track & Trace that manages governance and compliance for emails. Using this, emails will incorporate best-practice security features like DKIM, which shows the recipient server that the email hasn’t been tampered with. Another function, SPF, clearly identifies that your email is legitimate, while TLS connections ensure your correspondence is being sent over a secure line.

‘It all comes with a reporting dashboard that includes proof of “opens”, which is now a critical element in the customer interaction process, and is compliant with the EU’s General Data Protection Regulation and ISO27001 as well as the Privacy Act 2020.’

‘We’re happy to talk to franchises about any issues they have, and offer a free 90-day trial of C9 Track and Trace to help them overcome any system weaknesses. Just contact us to find out more.’

Order a Print Copy
Order a Print Copy