Edmonds Judd

privacy

It’s hard to ignore the headlines; the past few years have brought floods, plagues and an unprecedented rise in cyber-attacks. New Zealand businesses have taken the brunt of these events. Some have been pushed to breaking point.

 

Floods and plagues are tangible events. We can usually see them coming and prepare for the worst. Cyber-attacks are like a bolt of lightning, one minute it’s a sunny day, and the next minute your business is on fire and you are scrambling to mitigate the damage.

 

Cyber resilience is a measure of how well you can manage a cyber-attack or data breach while continuing to maintain business operations effectively. There are some simple steps you can take to make your business more resilient to cyber-attacks.

 

Step One: Know what you are trying to protect

All businesses have information that, if lost, would compromise the viability of the business. When considering what you need to protect, think of your information as assets in terms of maintaining their confidentiality, integrity and their availability of access. Which ones are the most important for your business to protect?

 

Knowing what you need to protect makes it easier to determine whether your cybersecurity protections are sufficient.

 

Step Two: Mind the gaps

Cyber resilience is more than just having anti-virus installed. Pay attention to the resilience of your people, processes and technology; cyber health checks will identify gaps and recommend improvements. Specialist cyber resilience companies such as Intelligensia provide impartial assessments of your cyber resilience and can liaise with your IT provider to get you the right the level of protection.

 

Step Three: Know your risk appetite

Know how much risk you are willing to accept for your business. This helps you decide how much you need to invest in cybersecurity protections. For example, if you keep sensitive client information, invest in offline back-ups that can’t be compromised if you succumb to a ransomware attack. An investment in off-line backups will not only minimise the loss of information, but also your downtime.

 

Step Four: Business impact

During the recent floods, power, phones and the internet were disabled for some time. A cyber-attack on your managed IT services provider or software vendor could similarly leave you with no access to your computer systems or information for extended periods. Think about the business impact if you can’t access your customer, financial or bookings information for an extended period. Use a scenario of not having access to vital tools and information for up to a month. During large scale cyber-attacks, your IT providers will be juggling competing demands to get multiple businesses operational again. Check your service level agreements and know the level of support you can expect.

 

Step Five: Incident response plan

An incident response plan lets you take a methodical approach to deal with a cyber-attack when it occurs. Many businesses think that calling their IT provider to fix the problem is all that is needed. Certainly, they can fix the technical problems, but you have obligations as well. For instance, you may need to notify the Privacy Commissioner if personal information has been stolen. Failing to report information breaches can result in a hefty fine. Informing customers that you’ve lost their information is another requirement. The way you manage a cyber-attack will determine the impact on your business’s reputation and your customers’ level of trust.

 

Essential to be cyber resilient

Cyber-attacks are on the rise. They increased 600% during the pandemic; security commentators predict that this year a business will suffer a ransomware attack every eleven seconds. More than 90% are caused by someone clicking on a phishing email. It’s not a case of ‘if’ you get attacked, rather ‘when’. Being cyber resilient puts your business in a much stronger position to weather the storm and recover quickly from a cyber-attack.

 

If you want your business to survive in today’s digital economy develop your cyber resilience now.

 

Jan Thornborough established Intelligensia in 2021 after realising that although big organisations were dealing with cyber risks, small and medium-sized business and not-for-profits were being left behind. Intelligensia’s mission is to bring the same level of expertise enjoyed by large companies and government agencies to smaller organisations.

 

Previously, Jan was head of the cyber resilience unit at New Zealand’s National Cyber Security Centre that helps nationally significant organisations become more cyber resilient.

 

DISCLAIMER: All the information published in Fineprint is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this newsletter. Views expressed are those of individual authors, and do not necessarily reflect the view of Edmonds Judd. Articles appearing in Fineprint may be reproduced with prior approval from the editor and credit given to the source.
Copyright, NZ LAW Limited, 2022.     Editor: Adrienne Olsen.       E-mail: [email protected].       Ph: 029 286 3650


Insta # dismissal?

Employers, disrepute and social media

Whether we like it or not, social media affects almost every aspect of our daily lives, including employment relationships. How can employees’ ‘private’ social media posts bring an employer’s business into disrepute and lead to an employee’s dismissal? Shouldn’t employees have privacy out of work? On the other hand, if a post adversely affects an employer, shouldn’t they be able to act?

 

The problem with social media

Gone are the days of casual conversations with a limited audience. Social media can reach thousands of people with the click of a button and filter into real life to have an impact on our working environment. An employee’s social media posts ‘shared’ only with family and friends, may ultimately be far from ‘private’. That post or a screenshot can be forwarded and shared with a limitless audience.

 

A social media post (or a like, comment, hashtag or tweet) is often made emotionally or in the heat of the moment, but can be permanent and can quickly cause damage and/or have effects on a business — with far-reaching consequences.

 

Bringing your employer into disrepute

As an employee, if your conduct impacts (or potentially impacts) adversely on your employer’s business or reputation, you could be deemed to bring your employer into disrepute. It is conduct that intrudes on your workplace relationships and obligations, or your ability to do your job. It could be during working hours or outside of it, but there must be a clear link between the conduct and employment.

 

The line between personal opinion and employer disrepute is murky. Employers need to consider whether an objective, fair-minded and independent observer aware of the circumstances could have considered an employee’s actions/posts have brought or carry a reasonable risk of bringing it into disrepute.

 

Some examples leading to dismissal

The range of behaviour is wide but whether it is bad enough to warrant dismissal will depend on an employee’s position and the sector in which the employer operates.

 

In a recent case[1], the dismissal of a nurse was justified after she posted her views on vaccination on Facebook. While she argued the posts were private, was unaware of their reach and posted opinions often shared by others, the Employment Relations Authority (ERA) disagreed. There was a significant risk of harm to her DHB employer’s reputation if her posts had been viewed by the wider public, especially as she was a community nurse.

 

In some cases, liking or commenting on someone else’s posts may be enough to bring an employer into disrepute. In a 2014 case[2], an employment advocate (who was representing an employee) made negative posts about that person’s employer. The employee (whose Facebook identified her employer) liked the advocate’s posts.  She was endorsing disparaging views and ensuring the posts were shared with her ‘friends’ who were other employees or customers. Her dismissal was justified.

 

Social media posts may also affect the work environment, or lead to claims of bullying and harassment within it. Examples include employees sharing explicit videos with other employees (even outside of work) via Facebook Messenger or making offensive comments about other employees. All employees should think twice before posting embarrassing work party photos, as this could also be found to be bullying or harassment.

 

What about privacy?

As an employer, you may become aware of social media posts because you are a ‘friend’ or ‘follower’ of your employee or have been provided them by someone who is.

No privacy breach will occur if a legitimate recipient provides this to you; as social media is objectively in the public domain and may go beyond ‘friends’ and ’followers.’ You cannot force your employee to give you access to their private accounts or coerce others into doing so.

 

When the matter ends up before the ERA, it has the power to order disclosure of this material, if it is relevent. The ERA may also order your employee not to make any posts on social media about your business, employees or any confidential information.

 

What can you do?

Employees must always think twice when posting on social media. If you are posting anything which may be associated with your employer, your workplace or that may impact on your ability to do your job you should err on the side of caution. Where your workplace has a distinctive brand or uniform ensure these are not in any post unless your employer has authorised this placement.

 

Employers should have a social media and internet use policy in place and/or a clause in employment agreements. Investigate any allegations and follow a full and fair process before making any decisions, particularly where there is the possibility your employee may be dismissed. You must also be careful of your own social media posts of, or about, employees.

 

Social media can be a minefield from an employment viewpoint. If you need any guidance, please don’t hesitate to contact us.

 

[1] Turner v Wairarapa District Health Board [2022] NZERA 259

[2] Blylevens v Kidicorp Limited [2014] NZERA Auckland 373

 

DISCLAIMER: All the information published in Fineprint is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this newsletter. Views expressed are those of individual authors, and do not necessarily reflect the view of Edmonds Judd. Articles appearing in Fineprint may be reproduced with prior approval from the editor and credit given to the source.
Copyright, NZ LAW Limited, 2022.     Editor: Adrienne Olsen.       E-mail: [email protected].       Ph: 029 286 3650


Could it happen in New Zealand?

The American entertainer Britney Spears’ conservatorship has recently been in the headlines. She is asking American courts to reconsider the conservatorship which has been in place for some years.

A conservatorship is like a guardianship in New Zealand — a court puts a legal arrangement in place to give a third party control over a person’s affairs if they lack mental capacity in some way.

Britney has claimed that her conservatorship has:

  • Forced her to work, against her wishes, for a number of years
  • Enriched her conservators, who are paid a substantial income, and
  • Prevented her from taking control of, or making decisions about, her own life.

In mid-August, Britney’s father stepped down from his role as conservator; he will work with the court in the appointment of a new conservator for his daughter.

Could this happen in New Zealand?

Many people in New Zealand have Enduring Powers of Attorney (EPAs) that allow them to decide in advance who will take control of their affairs if, or when, they lose mental capacity. It is when a person does not have EPAs that the Family Court will often become involved and can appoint people to make decisions on that person’s behalf. These kinds of appointments are common in New Zealand. However, there are many safeguards, as set out in column 4 of this article, that ought to prevent the kind of abuse Britney claims to have suffered.

The Protection of Personal and Property Rights Act 1988 (PPPRA) allows the Family Court to intervene in relation to a person’s personal care and welfare (where they live, medical treatment, etc) and in relation to their property. The court can only intervene when medical evidence shows that a person is unable to look after themselves, including making decisions about their future and their property.

The PPPRA contains what is known as the ‘minimum intervention principle.’ When making orders, the court is required to make the least restrictive intervention possible in a person’s life. Any orders which are made must enable that person to exercise and develop any capacity they may have, to the greatest extent possible.

Personal care and welfare

The Family Court can make specific decisions about a person’s care and welfare, such as directing that they live in a certain place or it can appoint a welfare guardian.

Appointing a welfare guardian is a significant restriction on a person’s autonomy; an appointment will only be made when a person wholly lacks capacity or does not have the ability to communicate, and when there is no other satisfactory way to ensure decisions are made. If a person only partly lacks capacity and can communicate their preferences, the court can only make specific orders about their welfare, such as an order that they live in a certain place or receive certain medical treatment. It cannot appoint someone to make all decisions.

Property

The Family Court may appoint a property manager when a person wholly, or partly, lacks capacity to manage their own affairs in relation to their property. However, s25 of the PPPRA, states that a person does not lack capacity simply because they make, or intend to make, imprudent decisions in relation to their property.

When appointing a property manager, the court considers the minimum intervention principle. It can appoint a manager in relation to only some part of the person’s property, rather than in relation to all the property the person holds. It can also give limited powers to a property manager. There are a number of restrictions on a manager making decisions about property worth more than $120,000.

Unless the court approves, property managers are not allowed to be paid. If a fee is paid, this would usually be very limited, even for a professional manager, such as a trustee corporation.

A property manager or welfare guardian cannot force a person to work, and if either of those people signed a contract requiring the person to work against their wishes, the person could ask the court to review that decision and/or appoint different managers.

Safeguards

The PPPRA has a number of safeguards built in to protect the person. Each time an application is made to the Family Court for orders under the PPPRA, the court must appoint a lawyer (usually state-funded) to represent that person’s interests. That lawyer has duties to:

  • Contact and meet with the person
  • Explain the nature and purpose of the application
  • Ascertain that person’s wishes, and
  • Evaluate possible solutions, including the minimum intervention principle.

The appointed lawyer represents a significant safeguard, and is present every time a PPPRA case is before the court. They report to the court on what the person wants and their capacity.

They can propose a new capacity assessment if, for example, they think the person has become capable of managing their own affairs.

In addition to this, welfare guardianship and property orders must be reviewed every three years (in some cases, every five years). The court reviews the matter, usually obtains an updated capacity assessment, and appoints a lawyer to act for the person and reports back to the court.

Britney in New Zealand?

It seems less likely that someone in this country would end up in Britney’s position. If Britney lived in New Zealand and was subject to the PPPRA, the court would review her situation every few years, and her views would be put forward by an independent lawyer. If Britney thought she had capacity, the court could order a medical review. If Britney wanted control of her own affairs, or a different person in charge, the court would be obliged to take this into account. There are a number of safeguards built into the New Zealand system which would help prevent Britney’s current situation in the US from arising.


Some practical tips

You arrive at work to find that files with sensitive commercial and client information held on your computers have been hacked. This is the situation the Reserve Bank of New Zealand (RBNZ) found itself in earlier this year. In January, the RBNZ encountered a data breach of its global file-sharing application Accellion FTA. This application was once used by the RBNZ and its stakeholders to share personal and commercially-sensitive information.

It is alarming to contemplate having to negotiate with hackers who have stolen your business information for ransom. All businesses can learn from the RBNZ’s incident to increase awareness of cyber security and minimise the risk of a hacker attack. Prevention is the best solution.

Install antivirus software

Antivirus software helps detect, quarantine and remove malicious software from computers. Although Windows 10 comes with Windows Defender built-in, this only provides a baseline level of protection. Hackers are constantly inventing new viruses and threats, and it’s important to have up-to-date antivirus software. It’s worth paying for reputable antivirus software; free antivirus software programs can be fake and/or harbour viruses.

Use a virtual private network (VPN)

If you connect a device to free public Wi-Fi networks at, say, local cafes, you’re running a business risk. If hackers access that network, they can see everything you do on the internet, including logins and passwords. A VPN helps to protect you from these risks. A VPN provides online privacy, anonymity and security by creating a private network connection. Like antivirus software, it is worth paying for VPN software to ensure you receive a higher quality product.

Implement patch management

Patch management ensures that all operating systems and software on your business computers are up-to-date so the likelihood of a known security risk being exploited on your computers is reduced.

Although it is tempting to delay notifications that say ‘Windows needs to restart your computer to install the latest update’, installing those updates is critical to maintain security.

Older operating systems such as Windows 7 are easier to hack than the later version (Windows 10) because Microsoft no longer provides updates and support has ended. As a result, there are known security vulnerabilities which have not been fixed.

Regularly back up data

Your IT systems, including all data, should be backed up to a secure location, so that business can be restored quickly if it is cyber-attacked or there is another data loss event. Typically backup and business continuity plans are developed to ensure downtime is minimised. Often this will include backups taken at multiple times on any given day and at day end, and stored in multiple locations. Backups should be held for a reasonable period to avoid replicating viruses or other harmful codes.

Implement email filtering system

Emails are a big threat to cyber security. An email can purport to be from a genuine company but have fake credentials, could have been compromised by a hacker or have malicious attachments.

Downloading such emails could give a virus access to your computer. It is advisable to prevent programs from being run inside email attachments without permission. Email filtering system features are available with some Microsoft products but you may need to ensure these are turned on.

Web filtering

This technology stops web pages from being accessed that are known to contain harmful or restricted content. Web filters rely on constantly updated databases that record websites known to be associated with harmful or restricted content.

Train your staff

Staff members should be trained on cyber-attack risk and its protection. Even with the best measures in place, staff can unwittingly present security risks, such as clicking on email attachments from spam emails.

Don’t forget the basics

It’s easy to forget IT fundamentals. Have a screen lock. Create a complex password; ensure it is different for each account and change it frequently. Install two-Factor Authentication (2FA) that adds an extra layer of security by requiring users to provide two layers of information to gain access to a computer or network (such as inserting a password as well as code texted to your mobile phone).

Have an IT adviser

Unless your core business is IT, employ (or have on call) an IT adviser who can assess the risks to your business and implement the above steps. We also recommend you engage them periodically to undertake audits and to expose any weaknesses before a cyber-criminal exploits them.

Protect your business

Cyber security and cyber threats are now global problems. Failing to put in place measures to protect your business from these threats can easily lead to business failure. It should be a priority in your business planning.


Postscript

Privacy Act 2020 comes into force on 1 December 2020

The new privacy legislation comes into force as this edition of Fineprint is published; it updates the law to reflect the needs of the digital age. Although we published an article on this topic in the Winter edition, we remind you that the key changes relate to:

Continue reading


New Privacy Act comes into force in December

The Privacy Bill is on its third reading in Parliament and will now become law on
1 December 2020. It will repeal and replace the current Privacy Act 1993, and
will update the law to reflect the continually-evolving needs of the digital age.

Why new legislation?

Your personal information is stored in many places by organisations such as businesses,
government agencies, healthcare providers, financial institutions, social network platforms and telecommunications companies (called ‘agencies’ in the new legislation).

Continue reading


security guard

Ten years ago the idea of protecting your digital assets after your death, or if you lost mental capacity, would have been regarded as absurd. Many of us now regard this as critical. However, there’s very little guidance available on how best to ensure these assets are identified and dealt with in these situations. Protection of digital assets does not fit neatly into traditional asset planning concepts or inheritance plans.

Continue reading