Cyber Security & Data Breaches: Legal Tips To Protect Your Business (2026 Updated)

Cyber security isn’t just an “IT issue” anymore. If you run a business in New Zealand, it’s also a legal, commercial and reputational issue - because the moment you collect customer or employee information, you’re responsible for how it’s handled.

And with more businesses using cloud tools, remote work, online payments and outsourced providers than ever, a single mistake (like a phishing email or misconfigured storage folder) can quickly become a full-scale data breach.

This guide is updated to reflect current expectations around privacy compliance and breach response in New Zealand, so you can build strong legal foundations and reduce risk from day one.

What Counts As A Data Breach (And Why It Matters Legally)?

In plain terms, a data breach happens when personal information is accessed, used, changed, lost, or shared without permission - whether that’s caused by an outside hacker, an internal mistake, or a supplier you rely on.

In New Zealand, your main legal framework is the Privacy Act 2020. That law doesn’t require you to be “perfect” at cyber security, but it does expect you to take reasonable steps to protect personal information and to act quickly and transparently if something goes wrong.

Here are common examples of breaches we see affecting SMEs:

• Phishing and invoice fraud where staff are tricked into paying the wrong account or sharing logins.
• Ransomware locking business systems and customer files until a payment is demanded.
• Email misdirection (sending a spreadsheet to the wrong recipient).
• Lost or stolen devices where customer data is stored locally without encryption.
• Supplier breaches where your payroll, booking, CRM or IT provider is compromised.

Even if the breach wasn’t “your fault” in a technical sense, you can still be responsible from a privacy compliance perspective, because you’re the organisation that collected the data and decided how it would be stored and used.

If you’re thinking, “We’re too small to be a target,” it’s worth re-framing it: small businesses are often targeted because they’re smaller - attackers assume there are fewer controls and less training in place.

What Are Your Key Legal Obligations Under The Privacy Act 2020?

Most businesses will interact with the Privacy Act 2020 through three practical obligations:

1) Collect, Use And Store Data Properly

You generally need to make sure you only collect personal information that you actually need, you’re transparent about why you’re collecting it, and you keep it secure.

This is where a clear Privacy Policy can do a lot of heavy lifting - it sets expectations with customers (and staff), and it helps you prove you’re taking compliance seriously.

If you collect data through a website, booking platform, mailing list, loyalty program, online checkout, or app, you should also think about:

• what personal information you collect (names, email addresses, delivery addresses, health info, payment details);
• where it’s stored (and whether storage is offshore);
• who has access internally (and whether access is role-based); and
• how long you keep it (and when you delete it).

2) Keep Personal Information Secure

The Privacy Act expects “reasonable” security safeguards. What’s reasonable depends on your business size, the sensitivity of the data, and the harm that could occur if it’s exposed.

For example, if you run an online retail store collecting names and delivery addresses, you’ll still want sensible protections. But if you run a health practice, childcare business, or store customer ID documents, the bar is higher because the data is more sensitive.

3) Respond Appropriately When Something Goes Wrong

Having a breach response process is part of privacy compliance. It doesn’t need to be a 40-page manual, but you should have a plan that your team can actually follow at 8pm on a Friday if a staff member receives a ransomware message.

A practical starting point is a Data Breach Response Plan that sets out roles, steps, communication templates, and decision-making pathways.

And if a breach causes (or is likely to cause) serious harm to individuals, you may have to report it - which leads us to the next section.

When Do You Need To Notify The Privacy Commissioner And Affected People?

New Zealand has mandatory notification rules for certain breaches. You’re generally required to notify the Office of the Privacy Commissioner (and affected individuals) when the breach has caused, or is likely to cause, serious harm.

“Serious harm” isn’t just financial loss - it can include emotional distress, safety risks, identity theft risk, or reputational damage for the individuals involved.

It helps to think about factors like:

• What type of information was involved? (e.g. passport numbers, health information, passwords, bank details)
• How many people were affected?
• Who got access? Was it a trusted recipient who deleted it, or a malicious actor?
• Was the information encrypted or protected?
• What could someone do with the information?

Timing matters too. A slow, disorganised response can cause more damage than the breach itself - not just commercially, but legally.

That said, you also don’t want to rush out inaccurate information. The goal is to move quickly, preserve evidence, contain the breach, assess seriousness, and notify in a clear and responsible way.

If you’re not sure whether notification is required, that’s a good sign you should get advice early - because the “serious harm” assessment is very fact-specific.

How Do Contracts And Policies Reduce Your Cyber Risk (And Your Liability)?

Cyber security is partly technical, but a big chunk of your risk is actually contractual. Many data breaches get worse because the business didn’t have clear obligations with staff or service providers, or because the business couldn’t quickly control communications when the incident happened.

Make Sure Your Staff Rules Match Your Actual Cyber Risks

Your employees are often your first line of defence - and also (unintentionally) the most common entry point for cyber incidents.

A few “from day one” foundations that help:

• Confidentiality obligations in your Employment Contract.
• Clear rules about password management, device use, remote access, and reporting suspicious emails.
• Privacy and surveillance boundaries if you monitor systems (more on this below).

If you use contractors (like outsourced IT support, marketing contractors, or overseas virtual assistants), you should also consider a proper Non-Disclosure Agreement or confidentiality terms, especially where they can access customer lists, credentials, internal pricing, or operational systems.

Lock In Cyber And Privacy Obligations With Suppliers

Many SMEs rely on third parties for key systems - payroll, rostering, booking platforms, cloud storage, accounting, email hosting, point-of-sale providers, CRM tools and website plugins.

That’s normal. But it also means your legal risk is only as strong as your contracts with those providers.

When reviewing or negotiating supplier terms, pay attention to:

• Data handling clauses: what security standards do they follow, and where is data stored?
• Breach notification obligations: do they have to tell you quickly, and how?
• Liability limits: is their liability capped in a way that leaves you exposed?
• Subcontractors: can they pass your data to others, including offshore?
• Access controls: who at the supplier can access your account and why?

If your business provides services to clients (especially B2B), your own customer-facing contract can also help you manage expectations about system availability and security responsibilities - for example through a well-drafted Service Agreement that reflects how you actually deliver the work.

Are Cameras, Monitoring And Call Recording Legal For Cyber Security Purposes?

It’s common for businesses to use CCTV, access logs, email security tools, and call recording as part of fraud prevention and cyber security. But you need to balance security with privacy.

The key idea is: even if you have a legitimate reason to monitor, you should still do it transparently and proportionately.

CCTV And Workplace Monitoring

Security cameras can be lawful, but you should have a clear reason for them (like preventing theft, protecting staff, or securing sensitive areas) and you should avoid placing cameras in areas where people reasonably expect privacy (like bathrooms or changing rooms).

Workplace monitoring can also trigger employment and privacy risks, so it’s important to get the approach right. If you’re considering cameras or other monitoring tools, the practical starting point is understanding whether cameras are legal in the workplace and how to implement them fairly.

Call Recording

Call recording can help with training, dispute resolution and fraud prevention - but it’s also sensitive because it can capture personal information.

If you record calls with customers, staff, or suppliers, you should be clear about:

• what you record and why;
• how you notify people (e.g. pre-recorded message or verbal notice);
• who can access recordings;
• how long you keep them; and
• how you respond to access requests.

This area can be nuanced, so it’s worth checking your approach against New Zealand’s call recording laws and your broader privacy obligations.

Step-By-Step: What To Do If Your Business Has A Data Breach

If you ever face a suspected breach, it’s easy to panic - but a structured response makes a huge difference. Here’s a practical checklist that aligns with privacy expectations and good risk management.

Step 1: Contain The Breach Immediately

• Disable compromised accounts, reset passwords, revoke access tokens.
• Isolate affected devices or servers (especially with ransomware).
• Stop unauthorised transfers or payments (contact your bank early).

Step 2: Preserve Evidence

• Take screenshots, preserve logs, save emails and metadata.
• Don’t wipe devices until you’ve taken advice (you may destroy evidence you need later).

Step 3: Assess What Happened And What Data Was Involved

You’ll want to quickly work out:

• what system was affected;
• what personal information was involved;
• how many individuals are impacted; and
• whether the data is likely to be misused.

Step 4: Decide Whether Notification Is Required

This is where the “serious harm” test becomes important. If notification is required, you’ll usually need to notify both the Privacy Commissioner and affected individuals.

Even when notification isn’t legally required, you might still choose to notify for customer trust reasons - but it should be done carefully and consistently.

Step 5: Communicate Carefully (Internally And Externally)

In a breach, communication can create legal risk if it’s inaccurate, incomplete, or contradicts your contracts and policies.

A few practical tips:

• Nominate one person to manage external communications.
• Keep internal updates factual and need-to-know.
• Be careful not to blame individuals without evidence (especially employees).

Step 6: Fix The Root Cause And Prevent A Repeat

Once the immediate incident is controlled, you should address the underlying cause:

• patch vulnerabilities, remove unapproved plugins, update systems;
• review admin access and implement multi-factor authentication;
• re-train staff on phishing and data handling; and
• update your policies, contracts, and vendor management process.

This is also a good time to review your overall privacy compliance (including website notices and internal data practices). If you want a structured check, a privacy advice review can help you identify gaps before they turn into incidents.

Key Takeaways

• A data breach can be caused by hacking, human error, lost devices, or supplier failures - and it can still create legal obligations for your business.
• Under the Privacy Act 2020, you should take reasonable steps to protect personal information and respond properly if an incident occurs.
• You may need to notify the Privacy Commissioner and affected individuals where a breach has caused (or is likely to cause) serious harm, so it’s important to assess the risks quickly and carefully.
• Strong legal foundations reduce cyber risk: make sure your Employment Contracts, confidentiality terms, and supplier arrangements reflect how data is actually handled in your business.
• CCTV, monitoring tools and call recording can support cyber security, but you need to balance security with privacy and communicate transparently.
• A clear breach response plan helps you act fast, preserve evidence, contain harm, and communicate in a consistent way when it matters most.

If you’d like help strengthening your privacy compliance, updating your contracts, or putting a practical breach response plan in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.