How Do I Protect My Business Information From Being Stolen? (2026 Updated)

When you’re building a business, your information is often your competitive edge. It might be your customer list, your pricing model, your product roadmap, your supplier terms, your processes, or even “the way you do things” that makes customers choose you over someone else.

And the tough part is this: business information is easy to copy, forward, screenshot, or walk out the door with - sometimes accidentally, sometimes deliberately.

This 2026 update reflects the reality that more businesses are operating digitally (cloud tools, remote work, contractors, AI-assisted workflows), which means protecting business information isn’t just about being careful. It’s about having the right legal foundations and practical systems in place from day one.

Below, we’ll step through the key legal and practical ways you can protect your business information in New Zealand, including what to put in your contracts, what to document internally, and what to do if you think information has already been taken.

What Counts As “Business Information” (And What’s Actually Worth Protecting)?

“Business information” is a broad term. Some information is obviously sensitive (like financials), but a lot of business owners don’t realise how valuable their day-to-day operational knowledge can be until it’s used against them.

Common types of business information you should think about protecting include:

• Customer and lead data: contact lists, buying history, renewal dates, preferences, CRM notes.
• Pricing and margin information: price lists, discount rules, costings, margin targets, quoting templates.
• Supplier and contractor details: who you use, what you pay, contract terms, negotiated rebates.
• Internal processes and know-how: SOPs, scripts, workflows, checklists, QA processes, training materials.
• Product development and strategy: roadmaps, prototypes, formulas, designs, marketing plans, launch dates.
• Operational and security information: system architecture, access credentials, security settings, incident reports.
• Commercial documents: proposals, tenders, statements of work, templates, internal financial models.

From a legal perspective, the big question is usually whether the information is confidential and whether you’ve treated it like it’s confidential.

In practice, if you want to protect information, you should be able to answer “yes” to these:

• Is it not public and not easily available elsewhere?
• Does it have commercial value (even if it’s not on a balance sheet)?
• Have you taken reasonable steps to keep it secret (contracts, access controls, policies)?

If you haven’t taken steps to protect it, it becomes much harder to argue later that it was “stolen” rather than simply “learned” or “re-used”.

What Are The Most Common Ways Business Information Gets Taken?

Most information leaks don’t look like a Hollywood hack. They usually happen through everyday business scenarios - especially when things are moving fast and you’re trusting people to “just do the right thing”.

Here are some of the most common risk points we see for NZ small businesses and startups:

1) Employees Or Contractors Leaving

Someone resigns (or you let them go), and they take:

• CRM exports or screenshots
• templates and SOPs
• pricing and quoting logic
• supplier contacts

Sometimes it’s deliberate (to start a competing business). Sometimes it’s “I worked on it so I can use it”. Either way, the outcome can hurt your business.

2) “Friendly” Sharing With Potential Partners

You’re talking to a potential collaborator, distributor, investor, or supplier, and you share commercially sensitive details too early - before anything is in writing.

3) Cloud Tool Access That Never Gets Turned Off

If you don’t have a clean offboarding process, ex-team members can keep access to:

• Google Drive / Dropbox / SharePoint
• Xero or accounting systems
• Slack / Teams messages
• your CRM and email marketing tools

4) Weak Internal Boundaries

If everyone has access to everything, it’s harder to prove the information was treated as confidential. It also increases the chances of accidental leaks.

5) Recording, Monitoring, And Device Issues

Businesses sometimes assume they can rely on workplace monitoring to prevent leaks, but monitoring and surveillance must be handled carefully and lawfully. If you’re using cameras or other monitoring tools at work, it’s worth checking your approach aligns with Are Cameras Legal In The Workplace? and your overall privacy obligations.

How Do Contracts Protect Business Information (And Which Ones Do You Actually Need)?

If you want strong protection, contracts are your first line of defence. The goal isn’t to “lawyer up” for the sake of it - it’s to set clear rules about what information is confidential, who can use it, and what happens if they misuse it.

For most businesses, the key contract tools are:

Non-Disclosure Agreements (NDAs) For Early Conversations

If you’re sharing sensitive information with someone who isn’t yet formally part of your business (like a supplier, potential investor, potential buyer, or prospective collaborator), an NDA can set expectations and create legal rights if things go wrong.

An NDA is especially useful when you’re discussing:

• business acquisition discussions
• joint ventures or partnerships
• product development or manufacturing
• marketing strategy and launch timing

A good NDA should cover:

• what confidential information includes (and that it covers information in any form)
• why it can be used (only for the permitted purpose)
• who can access it (and requiring they keep it confidential too)
• how long the obligations last
• return/deletion requirements

Where businesses get caught out is relying on a quick template that doesn’t match the real relationship. If you’re relying on confidentiality as a key protection, it’s worth using a properly drafted Non-Disclosure Agreement.

Employment Contracts (And Clear Confidentiality Clauses)

If you have staff, your employment agreement should deal with confidentiality and, where appropriate, restraints (more on restraints below). This matters because employees often have the deepest access to your customer relationships, systems, and internal strategy.

Your Employment Contract should clearly address:

• what your business considers confidential
• that confidentiality continues even after employment ends
• limits on taking copies, downloading, or forwarding business information
• returning company property and information on exit

Contracts won’t replace good systems, but they make it much easier to enforce your rights if a dispute arises.

Contractor Agreements (Because Contractors Aren’t Employees)

Many NZ businesses rely heavily on contractors - designers, developers, marketers, virtual assistants, consultants, sales contractors, and more.

Contractors usually work across multiple clients. That’s normal. But it increases the risk of “cross-contamination” (your documents, your strategy, your customer information being reused).

A tailored Contractor Agreement can deal with:

• confidentiality
• ownership of work product and IP
• security expectations (devices, access, storage)
• return/deletion of information at the end of the engagement

Company Founder Documents (Where The Risk Is Internal)

Sometimes the “theft” issue isn’t external - it’s a co-founder relationship breaking down, or someone leaving and claiming they can take key documents, client relationships, or assets because they “created them”.

This is where a clear Founders Agreement or (for established companies) a Shareholders Agreement can help set expectations about:

• who owns business information and IP
• what happens if someone exits
• confidentiality obligations between owners
• dispute resolution processes

If you’re thinking “we’re friends, we don’t need that,” it’s worth remembering: good documents don’t create mistrust - they prevent misunderstandings.

What Practical Steps Should I Put In Place To Keep Information Secure?

Even the best contracts won’t help much if your information is sitting in an unprotected inbox or a shared drive accessible to everyone (including ex-team members).

In New Zealand, taking reasonable steps to protect information also supports your position if you ever need to enforce your rights - because you can show you treated the information as confidential.

Here are practical protections that work well for small businesses without turning your workplace into a fortress:

Limit Access (Role-Based Permissions)

Not everyone needs access to everything. A simple “least privilege” approach helps a lot:

• sales staff don’t need your full supplier costings
• contractors don’t need access to your entire drive
• admin staff may need invoices but not product roadmap documents

In many disputes, being able to show you restricted access can be evidence that the information was genuinely confidential.

Use Clear Labels And Document Hygiene

It sounds basic, but it’s effective:

• mark documents “Confidential” where appropriate
• avoid mixing sensitive docs into general folders
• keep customer lists and pricing rules in controlled systems (not random spreadsheets)

Have Offboarding And Device Return Processes

When someone leaves, you want a checklist that covers:

• revoking access (email, drive, CRM, accounting, social media)
• returning company devices
• confirming deletion/return of confidential info
• reminding them of ongoing confidentiality obligations

This is one of the simplest ways to reduce “walk out the door with it” risk.

Train Your Team (Quick, Practical, Repeated)

Confidentiality isn’t just a clause in a contract - it’s a habit. Short training reminders can prevent accidental leaks, like:

• not forwarding client data to personal email
• not saving files on personal devices without permission
• being careful about what’s discussed in public spaces

Be Careful With Call Recording And Monitoring

Some businesses try to reduce risk by recording calls or monitoring communications, especially in sales or customer support. If this is relevant to your business, you’ll want to ensure you’re doing it lawfully and transparently - the rules can be nuanced. It’s worth checking your approach against Business Call Recording Laws In New Zealand.

Know Your Privacy Obligations (Especially With Customer Information)

If the information you’re protecting includes personal information (like customer contact details), you also need to think about your obligations under the Privacy Act 2020.

That includes taking reasonable steps to keep personal information secure, and only using it for the purpose you collected it for. Many businesses also publish a Privacy Policy to help set clear expectations with customers and users.

Privacy compliance and confidentiality aren’t the same thing, but in real life they overlap a lot - especially when a “stolen customer list” is both a business asset and personal information.

Do Non-Competes And Restraint Clauses Actually Help In New Zealand?

This is one of the most common questions we get: “Can I stop someone from competing with me if they leave?”

In NZ, restraints of trade (like non-compete clauses and non-solicitation clauses) can be enforceable, but they’re not automatic. They need to be reasonable and tailored to protect a legitimate business interest (like protecting confidential information, customer relationships, or goodwill).

A restraint that is too broad - for example, “you can’t work in this industry anywhere in NZ for 2 years” - is much more likely to be challenged.

Common restraint types include:

• Non-compete: limits working for or running a competing business (usually the hardest to enforce).
• Non-solicitation: prevents approaching your clients/customers for a period of time.
• Non-poaching: prevents approaching your staff or contractors.
• Confidentiality obligations: prevents use/disclosure of confidential info (often the most practical and enforceable).

The key idea is this: restraints aren’t a substitute for confidentiality protections. They’re usually an additional tool where there is a real risk of harm and the restriction is proportionate.

If you’re considering restraints for employees, contractors, or even founders, it’s worth getting advice so the clause is drafted in a way that fits your business and is more likely to hold up if tested.

What Should I Do If I Think Business Information Has Already Been Stolen?

If you suspect information has been taken, it’s normal to feel frustrated (or even panicked). The trick is not to rush into actions that make things worse - like sending an angry message that admits something you didn’t mean, or making threats you can’t follow through on.

Instead, try to take a calm, step-by-step approach.

Step 1: Secure Access Immediately

Before anything else, protect what’s still in your control:

• change passwords
• disable user accounts
• revoke third-party tool access
• check shared folder permissions

If you’re not sure what access someone has, your IT provider can usually help map this quickly.

Step 2: Preserve Evidence (Don’t “Clean Up” Yet)

It’s tempting to delete things or “tidy” systems, but that can destroy evidence. Preserve:

• audit logs (drive access, CRM exports, email forwarding rules)
• screenshots of relevant messages
• copies of relevant agreements
• timeline notes (when you noticed, what you noticed, who was involved)

Step 3: Check What Your Contracts Actually Say

Your next steps will depend heavily on what’s in your agreements (employee contracts, contractor agreements, NDAs, shareholders/founder documents).

If you don’t have anything in writing, don’t assume you have no rights - but enforcement can be harder and more fact-dependent.

Step 4: Consider A Formal Notice

Often, the first legal step is a carefully written letter that:

• puts the other party on notice
• demands return/deletion of confidential info
• requires they stop using or disclosing it
• reserves your rights

What you say (and how you say it) matters, so this is a good point to get legal help.

Step 5: Think About The Broader Legal Landscape

Depending on what happened, multiple areas of law can come into play, such as confidentiality obligations, intellectual property ownership, privacy obligations (if personal information was involved), and fair trading issues (if someone is misleading customers by pretending to be associated with your business).

The right approach depends on the facts - which is why tailored advice is so important here.

Key Takeaways

• Business information includes more than just financials - customer lists, pricing, supplier terms, processes, and strategy can all be valuable and protectable.
• The most common “theft” scenarios involve team members leaving, excessive access to cloud tools, and sharing sensitive information too early in negotiations.
• Strong contracts are a practical first step, including a well-drafted Non-Disclosure Agreement, tailored Employment Contract clauses, and clear Contractor Agreement terms.
• Practical security matters just as much as legal wording - limit access, label sensitive documents, use offboarding checklists, and train your team on information handling.
• Restraint clauses (like non-competes and non-solicitation) can help in some situations, but they need to be reasonable and are not a substitute for confidentiality protections.
• If information has already been taken, secure access fast, preserve evidence, review your contracts, and get legal advice before escalating the dispute.

If you’d like help protecting your business information with the right contracts and legal setup, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.