Privacy Breach Examples for New Zealand Businesses

Alex Solo
byAlex Solo10 min read
Data & Privacy
Contents

If you run a small business in New Zealand, you’re probably collecting more personal information than you realise. Customer enquiries, online orders, email newsletters, staff records, CCTV footage, delivery addresses, and even “just a quick note” in a spreadsheet can all count as personal information.

That’s why it’s worth getting familiar with real-world privacy breach examples - not to scare you, but to help you spot common risk points before something goes wrong.

In this guide, we’ll walk through practical privacy breach examples businesses commonly face in NZ, how the Privacy Act 2020 applies, what to do if a breach happens, and the simple steps you can take now to reduce your risk.

What Counts As A Privacy Breach In NZ (And Why Small Businesses Are Often At Risk)

In New Zealand, privacy obligations are primarily governed by the Privacy Act 2020. The key idea is simple: if your business collects, holds, uses, or shares personal information, you have duties around how you handle it.

A privacy breach generally means something has happened that:

  • Accesses personal information without permission (for example, an employee snoops in customer records),
  • Discloses personal information to the wrong person or in the wrong way (for example, emailing invoices to the wrong customer), or
  • Loses personal information or makes it unavailable (for example, ransomware encrypts your customer database).

Small businesses are often at higher risk because you’re moving quickly, wearing multiple hats, and relying on tools that are convenient rather than “enterprise-grade” (shared inboxes, personal devices, spreadsheets, cloud drives, outsourced providers, and so on).

Even if you don’t think of yourself as “data-driven”, the moment you store someone’s name + phone number + address + purchase history, you’re handling personal information and privacy law is in play.

If you’re collecting any information through a website, booking form, or online store, having a clear Privacy Policy is one of the simplest ways to set expectations and show you’re taking privacy seriously.

Common Privacy Breach Examples NZ Businesses Actually See

When people search for privacy breach examples, they’re usually trying to work out whether a situation they’re dealing with is serious, and what the “typical” breaches look like.

Here are some practical privacy breach examples that come up regularly for NZ businesses (including service businesses, online retailers, clinics, agencies, and employers).

1. Emailing Personal Information To The Wrong Recipient

This is one of the most common breach of privacy examples NZ businesses experience.

Typical scenarios include:

  • Sending an invoice to the wrong customer (showing name, address, product/service details, and pricing).
  • Accidentally CC’ing customers instead of BCC’ing (revealing everyone’s email addresses).
  • Forwarding a thread that includes sensitive background details about a client or employee.

Why it matters: an email address can be personal information on its own, and invoice details can reveal purchasing habits or personal circumstances.

2. Lost Or Stolen Devices (Laptops, Phones, USBs)

If a staff member loses a laptop with customer data, or a phone used for business emails is stolen, that can be a privacy breach - even if no one can confirm the data was accessed.

This often happens when:

  • Staff use personal devices for work (BYOD) without security controls.
  • Devices don’t have strong passcodes, encryption, or remote wipe enabled.
  • Customer lists are stored locally (downloads folder, desktop files, USB backups).

If you allow staff to work remotely, it’s worth setting clear rules around device security, access controls, and what data can be stored where (and yes, documenting those rules matters if there’s ever a dispute).

3. Accidental Sharing Through Cloud Storage Or Permissions

Cloud tools are great - until someone clicks “anyone with the link can view” on a folder that contains personal information.

Common examples include:

  • Sharing a roster spreadsheet that includes employee contact details and leave notes.
  • Sharing a customer complaint log that includes names, phone numbers, and order details.
  • A former employee still having access to your drive, CRM, or project management tool.

These breaches often feel “minor” because there’s no hacking involved, but they can still create real harm (identity risk, financial harm, reputational damage, embarrassment, or safety concerns).

4. Staff Accessing Information They Don’t Need (Internal Snooping)

Not all breaches come from external cyberattacks. Sometimes it’s internal access that isn’t justified.

For example:

  • An employee looks up a customer’s address “out of curiosity”.
  • A staff member accesses an ex-partner’s details held in your system.
  • A contractor with broad system permissions browses files outside their project scope.

As an employer, you can reduce this risk by limiting access to a “need-to-know” basis and setting clear expectations in contracts and workplace policies. If you’re hiring, it can also help to make sure your Employment Contract is aligned with confidentiality and privacy requirements.

5. Scams, Phishing, Or Impersonation Leading To Disclosure

A classic privacy breach scenario is when someone impersonates a customer (or supplier) and your business discloses personal information without verifying identity.

For example:

  • A scammer emails your accounts team requesting a “change of bank details” and asks for customer invoice history.
  • Someone calls pretending to be a customer and asks you to confirm their address, date of birth, or order history.
  • A fake “IT support” message convinces a staff member to share passwords.

This is why verification processes (even basic ones) are part of privacy compliance - not just “good admin”.

6. Misplaced Paperwork (Old-School, But Still Common)

Privacy breaches aren’t just digital.

Paper-based privacy breach examples include:

  • Leaving printed job applications at the front counter.
  • Throwing out customer forms without shredding.
  • Misfiling employee performance notes into the wrong file.

Paper breaches can be particularly hard to track because you may never know who saw the information.

7. Website Or Checkout Issues Exposing Customer Data

If your website or booking system accidentally exposes customer information (for example, a URL that allows someone to view another customer’s order), that may be a serious breach.

This often arises from:

  • Poorly configured plugins or forms.
  • Inadequate access controls in a customer portal.
  • Development/testing environments using real customer data.

If your business collects personal information online, it’s also worth checking your website’s legal setup (for example, having proper Website Terms And Conditions alongside your privacy documentation).

When Does A Privacy Breach Need To Be Reported In New Zealand?

Under the Privacy Act 2020, some privacy breaches are considered notifiable privacy breaches. That means you may have to notify:

  • The Office of the Privacy Commissioner, and
  • The affected individuals (the people whose information was involved).

Whether a breach is “notifiable” depends on whether it has caused, or is likely to cause, serious harm.

“Serious harm” isn’t limited to financial harm. It can include:

  • Risk of identity theft or fraud,
  • Risk to someone’s physical safety (for example, disclosure of a home address),
  • Humiliation or damage to reputation,
  • Loss of employment opportunities,
  • Emotional distress (especially where the information is sensitive).

Sensitive information (such as health information, biometrics, financial details, or information about children) is more likely to trigger “serious harm” concerns.

There are some exceptions and practical nuances in the Act (for example, where notifying could create safety risks, or where another agency is involved). There are also record-keeping requirements - businesses should keep a record of any privacy breach, whether it’s notifiable or not.

If you’re unsure whether a breach is notifiable, that’s a strong sign you should get tailored advice quickly - because delays and poor handling can make the situation worse.

What To Do If Your Business Has A Privacy Breach (A Practical Response Plan)

When a breach happens, your goal is to contain it, understand it, and respond in a way that reduces harm and meets your legal obligations.

Here’s a practical, business-friendly approach.

1. Contain The Breach

  • Recall the email (if possible) and follow up immediately asking the recipient to delete it.
  • Disable compromised accounts and reset passwords.
  • Remove public links or correct sharing permissions.
  • Isolate affected systems if ransomware or hacking is suspected.

2. Assess What Happened (And What Data Is Involved)

Document what you know, including:

  • What information was involved (names, addresses, payment details, health info, etc.).
  • How many people may be affected.
  • Who may have received or accessed the information.
  • Whether the information was encrypted, password-protected, or otherwise secured.

3. Reduce The Risk Of Harm

Your next steps depend on the data involved. For example:

  • If it’s financial information, you may need to recommend customers monitor accounts or replace cards.
  • If it’s login details, require password resets and revoke sessions.
  • If it’s an address disclosure, consider extra safety steps for the affected individual.

4. Work Out Whether It’s Notifiable

This is where the “serious harm” test comes in. If you decide the breach is notifiable, you’ll generally need to notify the Privacy Commissioner and affected individuals as soon as practicable.

Even if it’s not notifiable, you should still keep internal records of what occurred and what you did about it (this is part of good practice, and it also helps meet your record-keeping obligations under the Act).

5. Communicate Carefully (And Consistently)

It’s tempting to rush out an apology email. But communications should be accurate, clear, and consistent - especially if multiple staff interact with customers.

Often, it’s a good idea to have a standard process and templates ready to go. If you have a broader compliance framework in place (including internal policies about data handling), it becomes much easier to respond quickly without making things up on the fly.

If you handle personal information as part of delivering services (especially where you use third-party providers), clear contract terms can also help allocate responsibilities. In some cases, businesses use tailored Service Agreement terms to set expectations around confidentiality, security measures, and incident response.

How To Reduce Privacy Breach Risk Before It Happens

Most privacy breaches are preventable with a few “boring but effective” habits.

Here are practical steps you can take to reduce the risk of privacy breach examples happening in your business.

Limit Collection (Only Collect What You Actually Need)

A simple rule: if you don’t need it, don’t collect it. The less personal information you hold, the less there is to breach.

Check your forms and intake processes and ask:

  • Do we really need date of birth, or is an age confirmation enough?
  • Do we need home addresses for this service?
  • Are we collecting sensitive information “just in case”?

Lock Down Access (Need-To-Know Permissions)

  • Restrict CRM access so staff only see what they need.
  • Use separate logins (avoid shared accounts).
  • Remove access immediately when someone leaves.

When staff leave on bad terms, access issues become even more important. It’s one reason businesses put clear confidentiality obligations in place from day one, including via an NDA where appropriate (for example, with contractors, developers, or marketing providers who will see customer information).

Train Your Team On The “Everyday” Risks

Privacy training doesn’t need to be complicated. Focus on the real risks:

  • How to use BCC properly.
  • How to verify identity on phone/email requests.
  • What to do if someone clicks a suspicious link.
  • Where customer info can and can’t be saved.

Secure Your Tech Basics

  • Enable multi-factor authentication (MFA) on email and cloud tools.
  • Use password managers and strong password rules.
  • Keep systems updated (especially devices used for work).
  • Encrypt devices and enable remote wipe.
  • Back up important data (and test that backups restore properly).

Have A Clear Privacy Setup For Your Website And Marketing

If you’re collecting emails for newsletters, tracking customer behaviour, or using cookies/analytics, make sure your privacy settings and disclosures match what you’re actually doing. “Set and forget” is where a lot of businesses get caught out.

For online businesses, your customer-facing terms often work together - for example your E-Commerce Terms And Conditions can help set the rules for accounts, order processes, and security expectations, while your privacy documentation covers how personal information is handled.

Key Takeaways

  • Common privacy breach examples for NZ businesses include misdirected emails, lost devices, incorrect cloud permissions, internal snooping, phishing scams, misplaced paperwork, and website security issues.
  • Under the Privacy Act 2020, some breaches are notifiable if they have caused (or are likely to cause) serious harm - but there are also some exceptions, and you should keep records of breaches whether or not notification is required.
  • If a breach happens, act quickly: contain it, assess what information is involved, reduce the risk of harm, decide whether notification is required, and communicate carefully.
  • You can reduce privacy breach risk by collecting only what you need, limiting access to information, training staff on common mistakes, securing devices and accounts, and keeping your privacy and website documents up to date.
  • Having the right legal foundations (including clear privacy documentation and tailored contracts with staff and providers) makes privacy compliance much easier to manage as your business grows.

If you’d like help getting your privacy compliance set up properly, or dealing with a privacy breach that’s already happened, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

Using CCTV in your business is not just a security decision. This guide explains what New Zealand businesses should cover in a CCTV privacy policy

8 Jun 2026
Read more
Privacy Breaches In New Zealand: Employer Compliance Guide

Privacy Breaches In New Zealand: Employer Compliance Guide

Running a small business usually means you’re wearing a few hats at once - owner, manager, HR, finance, and (whether you like it or not) “the person responsible for data”. That’s why...

7 Jun 2026
Read more
Privacy Act 1993 In New Zealand: What It Means For Businesses

Privacy Act 1993 In New Zealand: What It Means For Businesses

If you’re running a small business in New Zealand, chances are you collect some kind of personal information - customer names, emails, delivery addresses, staff bank details, CVs, even CCTV footage. And...

6 Jun 2026
Read more
Privacy Act Information Request Deadlines In NZ: Response Timeframes

Privacy Act Information Request Deadlines In NZ: Response Timeframes

If you run a small business, you’re probably collecting more personal information than you realise - customer enquiries, online orders, staff records, CCTV footage, email lists, and maybe even recorded phone calls....

6 Jun 2026
Read more
Privacy Act 2020: Responding To Personal Information Access Requests In NZ

Privacy Act 2020: Responding To Personal Information Access Requests In NZ

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer contact details, delivery addresses, staff records, CCTV footage, enquiry forms, website analytics, and more....

6 Jun 2026
Read more
Privacy Act 2020 Information Requests: NZ Business Response Timeframes

Privacy Act 2020 Information Requests: NZ Business Response Timeframes

If you run a small business in New Zealand, you’re probably collecting personal information every day - customer details, enquiries, online orders, marketing sign-ups, CCTV footage, employee records, supplier contacts, and more....

5 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call