Digital Download: Tech Half Year in Review (script version)

Episode 1: Cyber Resiliency

Please note this is a transcript version of a video, which you can view here. 

2024 Cybersecurity Landscape

Cert NZ's most recent published figures suggest there is some cause for celebration this year with reported cyber incidents down 20% from Q4 of 2023. This includes a 40% decrease in reports of phishing and credential harvesting, which hit all-time highs during and post Covid.

However, high profile attacks have nonetheless occurred. Earlier this year, MediaWorks notified around 403,000 individuals that the information they'd provided as part of a competition was the subject of a cyber-attack.

In 2021, the Tokyo Olympic Games endured an estimated 450 million cyber-attacks, according to Cisco. It expects eight times more attacks on the Paris Games, with the large volumes of data involved in putting on the games making it a prime target for cyber criminals. 

Regulatory developments

In the UK, the Cybersecurity and Resilience Bill aims to address existing vulnerabilities and strengthen the UK's defences against cyber threats by expanding the scope of current cyber regimes, empowering regulators, and increasing reporting requirements.

The UK's National Cybersecurity Centre has called the announcement for the Bill a landmark moment in tackling the growing threat to its critical systems. It'll be interesting to see if the New Zealand Government decides to follow suit.

CrowdStrike Crisis

On Friday July 19th, a routine update to CrowdStrike's security software caused widespread outages to operating systems globally. CrowdStrike has now revealed that the issues were caused by a bug in a quality control tool that it uses to check system updates for mistakes. This allowed a critical flaw, in a routine software update, to be pushed out to users.

In response to the events, CrowdStrike has said that it plans to undertake more pre-release testing, including a canary approach, whereby future updates will be rolled out gradually to customers on a staged basis.

These events, widely reported to be the largest global IT outage history, show the interconnectedness of modern IT systems, and how a simple routine software update can have a cascading effect.

In the aftermath of the events, investigations into potential US federal securities law breaches by CrowdStrike were swiftly announced and the first class-action lawsuit has now been filed in West Texas on behalf of CrowdStrike Investors.

Claims on behalf of those affected organisations are also undoubtedly being considered.

Also, if any lack of readiness on the part of those organisations exacerbated the impact of the outage on them, shareholder claims against them or their directors are possible.

View our previous insights on this here. 

Episode 2: CDR and Paytech

Please note this is a transcript version of a video, which you can view here. 

As foreshadowed in this week's episode, following the Commission's draft determination in July this year, the Commission has announced today that it is conditionally authorising Payment NZ's authorisation application to work with current and future API providers (ie, banks) and third parties (eg, fintechs) to develop and apply a partnering framework relating to the provision of API services by API providers to third parties. Please see a link to the Commission's final determination here.

As also foreshadowed in this episode, the Commission has also announced today that it has made a recommendation to the Minister of Commerce and Consumer Affairs, Andrew Bayly, under the Retail Payment system Act 2022, to designate the interbank payment network under the Retail Payment system Act 2022.  Please see a link to the Commission's recommendation to the Minister here and final reasons paper here.

CDR Explained

The CDR is a voluntary legal framework which provides customers with the ability to require data holders to share information held about them with trusted third parties, as well as the right to require them to carry out certain actions on their behalf.

The CDR aims to increase competition and innovation, lower costs and increase choice for consumers. A Bill was introduced to Parliament earlier this year and passed its first reading in July.

We know that the banking and electricity sectors are likely to be the first designated in-scope, but that the Government intends to roll it out incrementally across other consumer-centric industries such as insurance, health and telecommunications over time.

Last month, the Australian Banking Association and Accenture jointly released a report reflecting on the first four years of the Australian CDR, reflecting on reportedly low uptake by consumers.

The report, together with a separate Statutory Review published on the AU CDR last year, have highlighted several potential areas for improvement in the AU CDR, including high participation costs, data quality issues, lack of customer awareness, complexity of the regime and customer experience issues.

At the NZ CDR Bill's first reading, Minister Andrew Bayly emphasised that the Government has observed what has happened overseas and adapted the NZ framework, so the same issues won't arise here.

The Minister stressed that the Government will play a limited role in the regime and indicated that significant work was going into ensuring the regime would be simple, safe and easy to use for customers.

Minister Bayly has now referred the Bill to the Economic Development, Science and Innovation Committee for consideration. Submissions on the Bill will open shortly.

Commerce Commission consults on interbank payment network designation

In March, the Commerce Commission released a consultation paper on its proposed designation of the interbank payment network under the Retail Payment Systems Act to facilitate an API-enabled payments ecosystem.

Once designated, the Commission would have the ability to introduce network standards or directions, for example, where it identifies issues with the development of an API enabled payments ecosystem.

Payments New Zealand has applied to the Commerce Commission for authorisation to facilitate the joint development and potential implementation of a partnering framework between API providers and third parties. The Commission has issued a draft determination suggesting that it will grant authorisation, subject to conditions, for a period of 18 months. The timeframe recognises that a number of potential benefits from this initiative will be achieved via other regulatory interventions, such as the CDR and interbank payment network designation discussed earlier. 

Episode 3: Developments in AI

Please note this is a transcript version of a video, which you can view here. 

Recent AI Class Actions

Three record labels have brought an action for copyright infringement in the US against two AI startups, Suno and Udio. The labels claim that the startups infringed their copyright by using their recordings to train their music creation AI systems. The startups are arguing the defence of fair use under the US Copyright Act.

There have also been various actions initiated against OpenAI and other AI developers such as Google, Meta, GitHub, Stability AI and Midjourney for breach of copyright. Fair use is also expected to form an important part of the defence in these actions.

The defendants' unlicensed use of data to train their AI systems will be subject to judicial scrutiny, and the outcome of these class actions could have a significant impact on the global AI ecosystem.

Finalisation of the European Union's AI Act

As AI continues to develop at an exponential rate, we're seeing a wave of activity from regulators and governments around the world as they try to keep pace by regulating AI applications.

Importantly, the European Union's AI Act came into force on the 1^st of August, which is the world's first comprehensive AI regulation. It takes a risk-based approach to AI regulation by prohibiting certain forms of harmful AI and regulating high-risk and limited risk AI systems. 

New Zealand organisations that develop AI systems that are used in the EU will need to comply with its requirements. And it's also expected that, more generally, it will have a flow down effect in the same way that the EU's GDPR has had in the privacy space.

AI Regulation in New Zealand

At the end of July, the Cabinet Office released a paper setting out a strategic approach to AI in New Zealand. This indicated a strong preference for using our existing legal frameworks, rather than developing standalone AI legislation and promoting the use of AI principles by New Zealand organisations.

The Government plans to release further papers in September, encouraging adoption of AI and issuing risk management guidance. 

Action by the Privacy Commissioner

In the absence of AI-specific laws, it's largely up to organisations that are using and developing AI systems in New Zealand to adhere to a growing body of regulatory and industry guidance on AI and data governance.

The Office of the Privacy Commissioner has taken an active role in helping provide guidance in this area. For example, it has released practical guidance on the use of generative AI by New Zealand organisations and has also released an exposure draft of a biometrics processing privacy code which is currently under consultation.

The Privacy Commissioner also released a briefing to the incoming Minister of Justice last December outlining recommendations for the modernisation of the Privacy Act 2020. One of the recommendations was for a comprehensive response to AI, which we'll discuss more in our next episode.

Episode 4: Privacy, Digital Identity and Biometrics 

Please note this is a transcript version of a video, which you can view here. 

Biometrics 

The use of biometric technologies by New Zealand organisations has been hitting the headlines in recent months and has attracted the attention of the Privacy Commissioner. For example, Foodstuffs has been trialling the use of facial recognition technologies to combat retail crime in 25 of its supermarkets across the North Island.

The Privacy Commissioner has voiced concerns about the use of facial recognition technology in essential spaces like supermarkets, and has launched an inquiry into the Foodstuffs trial to assess the effectiveness of the technology and the privacy risks.

In parallel with this inquiry, the Office of the Privacy Commissioner is consulting on its exposure draft of a new Biometric Processing Privacy Code. The draft code proposes new rules for agencies that use or collect biometric information to verify, identify or categorise individuals using automated processing. 

The OPC will continue to develop the code as feedback is received, and it's expected that there will be further opportunities to provide feedback on the code as it progresses this year. It's also expected that the OPC will be preparing guidance on biometrics and the proposed new privacy rules.

Trust Framework Authority

The Digital Identity Services Trust Framework Act came into effect on the 1st July. The Act aims to create a digital identity ecosystem in New Zealand that is safe and trusted. As part of the framework, digital identity service providers can become accredited on an opt-in basis. 

The Trust Framework Authority is the regulator of digital identity services that are accredited under the Act. The Authority is responsible for accrediting providers, monitoring accredited providers, investigating complaints, and managing the accreditation mark.

The trust framework rules and regulations are currently being finalised and are expected to be released later this year. The rules will set out the operational requirements for accredited services, and are expected to cover matters such as privacy, security, and data management.

Calls For Privacy Act Modernisation

Last December, the Office of the Privacy Commissioner released a briefing paper to the incoming Minister of Justice, Paul Goldsmith. The paper endorsed modernisation of New Zealand's Privacy Act 2020 - to provide strengthened protection in several areas and to better align our privacy framework with international legislation.

For example, the Privacy Commissioner called for higher penalties under the Privacy Act to incentivise compliance, new measures to manage the risks of automated decision-making, and better protections for children.  

However, there are no indications at this stage that the Government is planning to make any significant changes to the Privacy Act to address these recommendations. Any changes to the privacy framework this year are likely to come from the Office of the Privacy Commissioner.

Episode 5: Fintech Regulatory Developments

Please note this is a transcript version of a video, which you can view here. 

Like many other central banks around the world, New Zealand's Reserve Bank is currently considering whether New Zealand should have a centralised digital currency, known as "digital cash". 

Digital cash would be issued by the Reserve Bank and hold the same value as traditional notes and coins but would be accessible via a physical card, digital wallet or app on your phone.

Like physical cash, digital cash will let you to buy items or transfer money immediately, regardless of whether you have a bank account at the same bank as the recipient. It will also be available offline, without an internet connection or power, by downloading it to your phone or a physical card and using Bluetooth to transfer it to another device.

The Reserve Bank aims for digital cash to give people more choices when making payments and, as a result, increase competition and innovation within the payment industry. Digital cash will be in New Zealand dollars and backed by the New Zealand government as opposed to other forms of digital money which are issued by the private sector.   

Concerns have been raised around the privacy and security of digital cash. The Reserve Bank acknowledges that the security of digital cash will be paramount and digital cash will be designed with robust privacy protection in mind. The Reserve Bank has also confirmed that neither it nor the government will be able to see your transactions or intervene in how digital cash is being spent.

Public consultation on digital cash closed at the end of July. The next step is for the Reserve Bank to review the comments received and develop its design and policy requirements for digital cash. At this stage, we're not expecting the Reserve Bank's requirements to be ready until June 2025.    

Fintech Regulatory Developments

According to Technology Investment Network's 2024 Fintech Report, New Zealand's total fintech revenue was $2.64 billion in 2023 and has been New Zealand's fastest growing tech sector over the last decade, growing four times faster than the rest of the tech industry combined.

IRD's crackdown on crypto

At the start of July, Inland Revenue made it clear that it will be starting to place more focus on customers investing in crypto assets who are not declaring income derived from crypto in their tax returns. Warning letters have already been sent to high-risk customers giving them an opportunity to fix any non-compliance issues before facing audit.

Inland Revenue has said that it has identified 227,000 unique crypto asset users in New Zealand who are undertaking around seven million transactions with a value of $7.8 billion.  

Crypto assets are treated as a form of property for tax purposes and are taxed in the same way as any other income tax. This means that income made from selling, trading or exchanging crypto assets is taxable and must be declared on your tax return.

There is a common misconception that crypto is anonymous but, in fact, Inland Revenue receives data from crypto exchanges in New Zealand and overseas. Inland Revenue has said that it plans to use that data and its other tools and analytics capabilities to expose non-compliant crypto asset activities.

Inland Revenue is also part of the OECD crypto asset reporting framework, allowing it to work with other tax jurisdictions to share information, so even crypto transactions outside New Zealand are likely to be traced. Anyone receiving income from crypto in New Zealand or overseas should consider their tax obligations carefully and obtain tax advice where necessary.

That brings us to the end of our 2024 Half-Year Tech Round Up.  We look forward to recapping on the second half of 2024 later in the year! Thanks for joining us.