7 Jun 2023, 09:00

Deputy Privacy Commissioner Liz MacPherson wants all agencies, big or small, to introduce two-factor authentication to protect the information they hold.

She makes the remarks following the findings of the Office of the Privacy Commissioner’s latest small businesses Insights Report and to support CERT’s two factor authentication campaign.

When a cyber security privacy breach occurs, the question compliance officers will ask is “have you taken reasonable cyber security steps to protect the personal data you hold?”  Not to have taken reasonable steps is a breach of the Privacy Act and the trust that your customers or clients have placed in you to keep their information safe.

What is reasonable depends on the size of the organisation and the scale and sensitivity of the personal information they hold.  

Two factor authentication is like an extra wall between you and people who would steal your data.

Two-factor authentication means having two forms of identification, such as a password  confirmed by a text message to your phone or email. This is designed allow you safer access to your systems. It provides an additional step of verification and greater security.

“Two-factor authentication is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally.  If you are a small business that has a cyber-related privacy breach and don’t have at least two factor-authentication in place expect to be found in breach of the Privacy Act.”

The small business Insights Report showed agencies’ confidence that they understood what privacy meant didn’t translate into having relevant privacy policies and procedures in place.

CERT’s Two Steps Too Easy campaign has more information about two-factor authentication.