TMT Update - ICT risk assurance framework & cloud computing guidance, Harmful Digital Comms Bill, fine for spam emails


There have been a number of developments since our last update, in this issue we provide updates on:

  • the Government Chief Information Office’s (GCIO) release of the New Zealand ICT risk assurance frameworks and a separate guidance on cloud computing for agencies
  • the Harmful Digital Communications Bill
  • the status of the Electronic Transactions (Contract Formation) Amendment Bill
  • another decision of the High Court under the Electronic Messages Act 2007 to impose a fine for sending unsolicited messages – this time with a $120,000 penalty.

If you have any questions, please contact a member of our TMT team.

Government releases ICT risk assurance frameworks

In February 2014, the Government released two new ICT assurance frameworks for government agencies. One framework deals with ICT Operations, the other with ICT Projects and Programmes. These frameworks were created after the recent spate of problems with information and technology management, particularly in regards to privacy breaches.

The frameworks are designed to remedy the current fragmented approach in risk assurance across agencies, by implementing a systematic assessment of current risk status. The frameworks are compulsory for public service departments, giving GCIO oversight over all these agencies. This allows the GCIO to assure Ministers that ICT risks are being indentified and managed and that the investment that is being made in public sector ICT is being well utilised.

The frameworks tie into the Treasury’s new Portfolio Performance Management function (which replaces the State Services Commission’s major projects monitoring function). Treasury’s new function is still being developed, so we can expect more on this later this year.

Other agencies may also use the frameworks for guidance. However, this may change later this year. A proposed Whole-of-Government direction regarding ICT functional leadership, including ICT assurance, is currently being consulted on. If adopted by Cabinet it will extend the mandate into the wider State Services.

ICT Operations Framework

This framework details a process for ensuring that all operational risks are handled appropriately on a day-to-day basis. It focuses on system-wide risks rather than individual projects.

The process follows a number of steps:

  • Initially, agencies will be required to provide GCIO with details of their top ICT operational risks.
  • GCIO will identify key system-wide areas of ICT operational risk.
  • Agencies will then undertake a risk and control self assessment for these identified areas. If risk is outside system/agency tolerance, GCIO and the agency agree required actions.

Agencies will also be required to:

  • Agree an assurance plan with GCIO in relation to all areas of ICT operational risk for the agency.
  • Report significant ICT operational risks to GCIO as they are identified.
  • If an incident occurs in relation to identified risks, report the incident to GCIO.

To drive education and awareness, GCIO will develop and implement ICT risk management and assurance activities. Templates provided by GCIO will enable agencies to undertake ICT risk management and assurance self assessment.

ICT Projects and Programmes Framework

At this stage this is an interim framework. It deals with high and moderate risk/value ICT-enabled projects (and programmes). The framework indicates that it will be revised in a second phase to address low risk/value projects.

GCIO will be the lead agency to coordinate assurance. Its role will be to concentrate on system wide ICT risk management and assurance.

Agencies will remain responsible and accountable for owing and addressing ICT risks within their agency.

The key requirement for agencies under this framework is to have a costed and resourced ICT Assurance Plan for all ICT projects. Other requirements depend on the risk/value of the project:

  • If a project is assessed as high risk/value:
    • the assurance plan must be developed in conjunction with and approved by GCIO;
    • monitoring by GCIO will be required; and
    • the appointment of an independent quality assurance provider may also be required.
  • For projects that are assessed as moderate risk/value, GCIO will determine if monitoring is required. If so, the requirements are largely the same as for high risk/value projects. If not selected, all that is required is the assurance plan and for the agency to self-monitor and decide if an independent quality assurance provider is required.

Both frameworks contain detailed process maps explaining the various steps and have templates for general use. The frameworks do not deal with the roles and responsibilities of Monitoring Departments and Crown Entities. An updated framework to address these areas will be released once finalised.

The frameworks can be accessed by clicking here.

Cloud Computing Information Security and Privacy Considerations

In June of last year, Cabinet directed the Department of Internal Affairs to review the use of cloud computing in the public sector, with the development of a security and risk framework in mind. The security and privacy breaches of 2013, including those by ACC, the Ministry of Social Development and EQC bought this issue to the forefront of Cabinet’s attention.

In October 2013, Cabinet Committee on State Sector Reform and Expenditure Control agreed upon the implementation of a Government led and monitored risk and assurance approach to cloud computing that sits within an all-of-government ICT assurance regime.

The principles underpinning the agreed approach include:

  • case-by-case consideration by the agency (with GCIO oversight) of cloud computing decisions that balances the risk and benefits appropriately;
  • no data above RESTRICTED to be held in a public cloud (onshore or offshore);
  • agencies to undertake a risk assessment and apply GCIO guidelines in considering relevant issues.

In February 2014 GCIO released a document setting out the considerations relevant to cloud computing in terms of information security and privacy issues. It re-issued an updated version of the document this month. The document gives an overview of cloud computing, including outlining the types of clouds (eg public, private, etc) and the manner in which environments can be deployed into the cloud, who is expected to be responsible for security controls and then discusses 104 security and privacy considerations in detail. The document brings together various existing documents setting out the obligations on, and guidelines for, agencies in this area. It does not replace those existing documents, so they must also be referred to as well.

The 104 considerations discussed in the document cover the following key topics:

  • value/criticality/sensitivity of information
  • data sovereignty
  • privacy
  • provider terms of service
  • access control
  • multi-tenancy delivery of service
  • patch and vulnerability management
  • encryption
  • trustworthiness of provider personnel
  • sanitisation/destruction of storage media and equipment
  • physical security
  • data integrity
  • service levels and network availability
  • business continuity
  • incident response and management

The considerations are for the most part a series of questions and discussion points on the topics.

The document also states that the Institute of Information Technology Practitioners New Zealand Cloud Computing Code of Practice should only be used for informational purposes by agencies and is not to be relied on to replace an agency’s own due diligence. This Code of Practice provides good guidance on areas to focus on when assessing cloud technology. It is a useful checklist to work alongside this guidance from GCIO in considering all relevant matters before embarking on a cloud computing solution in any particular case.

The key point to remember is that once all relevant considerations have been assessed the risks identified are balanced with the benefits in order to make the appropriate decision. Ultimately this is a decision for chief executives, as they are accountable for managing the agency’s risks.

Usefully this document lists in an appendix the relevant resources for understanding more about cloud computing and also the guidelines that have been issued by various agencies on the topic.

Read about these considerations for cloud computing by clicking here.

Harmful Digital Communications Bill

Harmful digital communications, like harmful communications more generally, are captured by a range of existing laws addressing behaviours such as harassment, criminal incitement of suicide, defamation, and invasion of privacy and human rights. However, the development of technology enabling digital communications has created a unique environment in which digital communications can be very easily made, accessed and distributed and are difficult to remove. There are gaps in the ability of existing laws to address harmful digital communications, in particular in relation to cyber-bullying and harassment that do not meet the current thresholds for criminality.

In addition, the remedies provided by existing laws are inaccessible to many victims of harmful digital communications. The Law Commission has found that 10% of New Zealanders have been the victim of a harmful digital communication, and that nearly half of respondents did not know how to seek help.

The Harmful Digital Communications Bill addresses these concerns by creating new criminal offences to deal with the most serious harmful digital communications, providing a new civil enforcement regime for dealing with more minor harmful behaviour and plugging the gaps in a number of pieces of legislation. It also clarifies when online content hosts will not be liable for content posted by another person.

The Bill was introduced to Parliament in November 2013 following a ministerial briefing by the Law Commission, and was passed to Select Committee in December 2013. More than 70 submissions were made on the Bill during the consultation period and the Select Committee Report is due in June 2014. Although most submissions supported the Bill, a number of concerns were raised, some of which have stimulated public debate.

View the full ministerial briefing paper here.

What are harmful digital communications?

Digital communications are defined in the Bill as meaning any form of electronic communication including any text message, writing, photograph, picture, recording, or other matter that is communicated electronically. It will therefore capture cyber-bullying and harassment via any form of electronic communication including emails, blogs and social media platforms.

In order to be caught by the Bill, the digital communication must be harmful. The Bill defines “harm” as meaning serious emotional distress.

There is a new offence of causing harm by posting a digital communication

The Bill creates the offence of causing harm by posting a digital communication. There are three elements to the offence; a person commits an offence if:

  • that person posts a digital communication intending that it cause harm to a victim; and
  • posting the communication would cause harm to an ordinary reasonable person in the position of the victim; and
  • posting the communication does cause harm to the victim.

Posting a digital communication includes transferring, sending, posting, publishing, disseminating or otherwise communicating a digital communication, or attempting to do those things.

Civil enforcement regime for more minor harmful behaviour

The Bill sets out a tiered civil enforcement regime for more minor harmful behaviour. This regime is intended to balance the costs and time required to pursue formal court action with the need for an accessible, timely and effective remedy. However, concerns have been raised that the regime will overload the courts and that more emphasis should be placed on educating users and the value of more immediate remedies available through many digital media platforms.

In the first instance, a complaint that harm has been caused to a person by a digital communication may be made to an Approved Agency (to be appointed). The Approved Agency will assess, investigate and attempt to resolve complaints through negotiation, mediation and persuasion (as appropriate).

The next tier of the regime gives the District Court jurisdiction to make civil orders in respect of the harmful digital communication, provided that the Approved Agency has first received the complaint and has had an opportunity to consider the complaint and decide what (if any) action to take. If follows, then, that the more effective the Approved Agency is at resolving complaints, the less recourse will be needed to the courts. In its paper, the Law Commission has recommended that Netsafe be appointed as the Approved Agency.

Applications to the District Court may be made by an individual who alleges they have suffered harm, a parent of guardian of that individual or by a school principal where the individual is a student and has given his or her consent. Orders that may be made include takedowns, corrections, apologies and prohibitive injunctions.

‘Safe harbour’ for online content hosts

The Bill clarifies the liability of an online content host (OCH) for hosted content that may amount to a harmful digital communication. An OCH will not be liable for content posted by another person, provided that the content was not posted on behalf of, or at the direction of, the OCH. In addition, if an OCH has received a complaint about content and fails to take reasonable steps to address the issue, the safe harbour provisions do not apply.

Concern was raised in a number of submissions on the Bill that the breadth of the definition of OCH would have the unintended consequence of catching not just those entities that have direct control over the website (for example) on which the post has been made, but those who have indirect control, such as the provider of web-hosting services. The latter have no control over the content that is posted, and may have only limited ability to comply with any orders made in relation to the post.

Amendments to existing legislation

The most significant amendment to existing legislation is the amendment to the Crimes Act to extend the offence of aiding and abetting suicide so that it applies not only in situations where suicide is actually attempted, but also in situations where suicide is not actually attempted.

The Bill also contains amendments to the Harassment Act, the Human Rights Act and the Privacy Act, to ensure that the impacts of digital communications are adequately addressed within the ambit of those Acts.

Staged introduction

The Bill will be introduced in two stages. The new criminal offences and amendments to existing legislation will be effective immediately, while the new civil regime will be delayed for us to two years, presumably to allow time for selection of the Approved Agency and development of the processes it will implement.

We will update you on the Bill further as the Select Committee reports back.

Electronic Transactions (Contract Formation) Amendment Bill

On 9 April the Electronic Transactions (Contract Formation) Amendment Bill passed through the Committee of the Whole House stage in Parliament. It now awaits its third reading. This Bill will provide certainty to the time at which contracts are formed.

Auckland company receives $120,000 fine for spam emails

Also in our December 2013 update we reported on the case of Wayne Mansfield, an Australian resident fined for sending unsolicited emails. The High Court imposed a penalty of $95,000 for spam emails numbering in the hundreds of thousands.

In a February 2014 High Court decision, a New Zealand company received a penalty of $120,000 for sending over 500,000 unsolicited emails to New Zealanders. Image Marketing Group Ltd (IMG) sent unsolicited emails and texts in 2009 and 2010, resulting in over 500 complaints to the Department of Internal Affairs.

IMG acknowledged that it had breached the Unsolicited Electronic Messages Act 2007 and co-operated in the investigation. As such, the penalty was reduced from a starting point of $160,000. In this case the Judge agreed with the parties’ assessment of the appropriate penalty. Of note is that this is the largest penalty to date under the Act.

See the decision of the High Court by clicking here.