Sent An Email To The Wrong Person? Legal Steps In NZ

Alex Solo
byAlex Solo9 min read
Data & Privacy
Contents

You’re moving fast, juggling customers, suppliers, and your team - and then it happens: you’ve sent an email to the wrong person.

Maybe it’s an attachment with a client’s details, a supplier price list, payroll information, or a “reply all” that accidentally includes someone outside the business. It feels small at first, but for many NZ businesses, a misdirected email can quickly turn into a privacy issue, a confidentiality problem, or (in the worst cases) a notifiable privacy breach.

The good news is that a calm, structured response will usually put you in a better position and help you limit harm. Below, we’ll walk you through what to do next, what NZ law generally expects, and how to reduce the risk of it happening again.

What Should You Do Immediately After You’ve Sent An Email To The Wrong Person?

When you realise you’ve sent an email to the wrong person, time matters - but so does getting the response right. Your first goal is to contain the issue and reduce the chance of further disclosure.

1) Confirm Exactly What Was Sent (And To Whom)

Before you send follow-up messages in a panic, take 2 minutes to confirm:

  • Who received it (one person, multiple recipients, internal vs external)
  • What was included (email body, attachments, links, screenshots, thread history)
  • Whether the information is personal, confidential, commercially sensitive, or all three
  • Whether it was actually delivered (and opened, if you can verify)

This matters because the right response depends heavily on the content and the risk of harm.

2) Try To Recall Or Restrict Access (If You Can)

Depending on your email system, you may have options like “recall”, “unsend”, or “restrict access” to a document link (for example, a cloud file that can be disabled).

Don’t rely on recall alone (it’s not always successful), but if you can remove access to the attachment or link, that can significantly reduce the risk.

3) Contact The Recipient Promptly (With Clear, Neutral Instructions)

Usually, the next step is to contact the unintended recipient quickly and politely. Keep the message simple and practical:

  • Explain the email was sent in error
  • Ask them not to read, copy, forward, or save any attachment or content
  • Ask them to delete the email and any attachments
  • Ask them to confirm (in writing) that they’ve deleted it

Be careful about wording if you don’t yet know the full implications. You can acknowledge the mistake without speculating about fault or outcomes, especially if a complaint or dispute may follow.

4) Preserve Evidence Internally

It’s tempting to clean up the situation by deleting things - but you should keep an internal record of what happened, including:

  • What was sent and when
  • The recipients
  • Any follow-up messages
  • Confirmation from the recipient (if provided)
  • Steps taken to restrict access

If this becomes a privacy complaint, an HR issue, or a client dispute, a clear timeline helps show that your business acted promptly and responsibly.

Is A Wrong Email A Privacy Breach Under NZ Law?

Sometimes sending an email to the wrong person is just awkward. Other times, it may be a privacy breach under the Privacy Act 2020.

In simple terms, you’ll be in “privacy breach territory” when the email discloses (or risks disclosing) personal information in a way that wasn’t intended or authorised.

What Counts As Personal Information?

Personal information is information about an identifiable individual. In a small business context, this can include:

  • Customer contact details (name, email, phone, address)
  • Order history, invoices tied to a person, or payment-related details
  • Employee payroll data, leave balances, performance issues
  • Medical information (for example, sick leave documentation)
  • ID documents (driver licence, passport scans)

Even if it seems “basic”, personal information still triggers privacy obligations when disclosed improperly.

When Does It Become A “Notifiable” Privacy Breach?

Under the Privacy Act 2020, some privacy breaches must be notified to the Office of the Privacy Commissioner and often to affected individuals too. This typically happens where the breach has caused, or is likely to cause, serious harm.

“Serious harm” depends on factors like:

  • The sensitivity of the information (medical and financial info is usually higher risk)
  • Whether it could be used for identity fraud or financial loss
  • Who received it (trusted partner vs unknown third party)
  • Whether the recipient is likely to misuse it
  • How widely it may spread (one recipient vs multiple people)

If you’re unsure, getting advice early can help you choose the right response and meet your obligations without causing unnecessary alarm.

For many businesses, having a ready-to-go Data breach response plan makes these decisions much easier under pressure.

Do You Need A Privacy Policy If You Collect Customer Info?

If your business collects personal information (even something as standard as online enquiries, bookings, or customer emails), you should have a clear Privacy Policy that explains how you handle and protect that information.

This doesn’t “fix” a wrong email incident - but it can help demonstrate that you take privacy seriously and have practices in place to manage personal information appropriately.

How Do You Assess Risk And Decide Whether To Notify?

Once immediate containment is underway, your next step is a quick but careful risk assessment. This is the part many businesses skip - and it’s where legal exposure can creep in.

Step-By-Step: A Practical Breach Assessment Checklist

  • Identify the data type: is it personal information, confidential business info, or both?
  • Identify affected people: one person, multiple customers, an employee?
  • Consider the recipient: competitor, random member of the public, existing client, supplier?
  • Check what was actually accessible: attachment opened? link clicked? permissions restricted?
  • Assess potential harm: identity theft, embarrassment, workplace harm, commercial damage?
  • Document your assessment: what you decided and why

If there is a real risk of serious harm, you may need to notify. Notification is not just about “doing the right thing” - it’s also about complying with NZ privacy law and reducing downstream risk (like complaints and reputational fallout).

When you do need to notify, it helps to follow a structured Data breach notification approach so you cover the right information without speculating or overpromising.

What Should A Notification (Usually) Include?

While the exact content depends on the situation, notifications often include:

  • What happened (high level and factual)
  • What information was involved
  • What you’ve done to contain it
  • What steps affected individuals can take (if relevant)
  • How they can contact your business for support

It’s a balancing act: transparent enough to be helpful and compliant, but not so detailed that you increase risk or create confusion.

What If The Email Contains Confidential Or Commercially Sensitive Information?

Not every wrong email is a privacy breach - but it may still be a serious business risk.

For example, you might accidentally send:

  • Supplier pricing and margins
  • Trade secrets or internal processes
  • Draft contracts or negotiation positions
  • Client lists or prospect pipelines
  • Internal complaints or investigation notes

In these situations, the key concept is often confidentiality. It’s worth understanding the difference between privacy and confidentiality, because the legal tools and risks can be different.

Check Your Contracts: Do You Have Confidentiality Protections?

If the recipient is a contractor, supplier, or business partner, your contract may include confidentiality obligations that help you require deletion and help limit further use or disclosure.

Many businesses include a Confidentiality clause in service agreements, contractor agreements, and other commercial contracts to reduce the risk of leaked information becoming a bigger problem.

Be Careful About “Privilege” And Disputes

If the email includes legal advice, dispute strategy, or communications with your lawyer, there can be additional complexities (including whether legal professional privilege applies, and what steps are appropriate to protect it).

In that scenario, it’s a good idea to pause and get tailored legal advice before sending multiple follow-ups that might unintentionally complicate the situation.

Could This Create An Employment Issue (And What Should You Do Internally)?

Sometimes the person who sent the email is you. Other times, it’s a staff member - and the email relates to customers, employees, or sensitive internal matters.

As a business owner, you’ll want to manage two things at once:

  • Your external risk: privacy, confidentiality, client trust, potential complaints
  • Your internal process: training, discipline (if needed), and preventing repeat incidents

Don’t Jump Straight To Blame

Misdirected emails are often caused by system and process gaps (auto-fill contacts, shared inboxes, unclear naming conventions, lack of approval workflows), not just individual carelessness.

That said, if there is repeated behaviour or serious negligence, you may need to address it as a performance or conduct issue - and it’s important to do that fairly, consistently, and in line with your employment obligations.

Put Clear Policies In Place

Even small businesses benefit from clear written expectations about handling personal information and using workplace systems appropriately. A practical Employee privacy handbook can help set boundaries around handling sensitive information, use of systems, and what happens when something goes wrong.

If you work with personal information regularly (for example, bookings, health-related services, or finance), you should also consider an internal “double-check” practice for attachments and recipient lists.

Review Your Email Disclaimers (But Don’t Rely On Them Alone)

Many businesses add a standard footer asking unintended recipients to delete the email. A well-drafted Email disclaimer can help set expectations - but it won’t remove your obligations or automatically prevent a breach if sensitive information is disclosed.

Think of disclaimers as a support tool, not your main protection.

How Can You Prevent Sending Emails To The Wrong Person In The Future?

Once the immediate situation is under control, the smartest thing you can do is treat it as a process improvement moment.

From a legal risk perspective, prevention is powerful - because repeat errors can make it harder to show you have appropriate privacy safeguards in place.

Practical Prevention Steps For Small Businesses

  • Turn off auto-complete for certain inboxes or implement warnings for external recipients
  • Use access-controlled links instead of attachments (so access can be revoked quickly)
  • Set up approval workflows for sensitive outbound emails (HR, finance, client data)
  • Adopt naming conventions (to reduce “same-name” contact errors)
  • Train your team on when to BCC vs CC and how to check attachments
  • Limit who can export data from your CRM or booking system

Many businesses think of privacy and security as purely “IT problems”. In reality, your legal obligations and your systems need to match.

For example, if you handle customer data through online forms, cloud storage, or shared drives, make sure you have appropriate controls and internal rules - and that your customer-facing documents (like your Privacy Policy) reflect what you actually do in practice.

If you need something more formal for staff and contractors, an acceptable use policy or information security policy can also be a sensible next step (especially as your team grows and more people access customer data).

Key Takeaways

  • If you’ve sent an email to the wrong person, focus first on containment: confirm what was sent, restrict access where possible, and contact the recipient with clear deletion instructions.
  • A wrong email can be a privacy breach under the Privacy Act 2020 if it discloses personal information - and in serious cases, it may be notifiable.
  • Do a structured risk assessment based on the sensitivity of the information, who received it, and the likelihood of harm, and document your decision-making.
  • If confidential business information was disclosed, your contractual protections (like confidentiality clauses) may help you limit further use or disclosure.
  • If a team member made the mistake, manage it calmly and fairly - and consider policies, training, and systems improvements to prevent repeat incidents.
  • Prevention is part of compliance: using access-controlled links, approval workflows, and clear internal rules can significantly reduce your risk.

This article is general information only and isn’t legal advice. If you’d like help responding to a misdirected email, assessing whether you need to notify, or tightening up your privacy and confidentiality protections, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Website Terms and Privacy Requirements for Clinic Management Software Businesses

Website Terms and Privacy Requirements for Clinic Management Software Businesses

Clinic management software websites often collect sensitive information well before a full customer contract is signed. This guide explains the website

15 Jun 2026
Read more
Does a Software Reseller Need a Privacy Policy in New Zealand?

Does a Software Reseller Need a Privacy Policy in New Zealand?

If you resell software in New Zealand, a privacy policy is often needed in practice because your business usually collects personal information through

15 Jun 2026
Read more
Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using Drones Over Private Property in New Zealand: Legal Issues for Businesses

Using drones over private property can create privacy, consent, and compliance issues for New Zealand businesses. This guide explains the key legal risks

13 Jun 2026
Read more
Privacy Principle 1 in New Zealand: Collecting Personal Information Lawfully

Privacy Principle 1 in New Zealand: Collecting Personal Information Lawfully

Privacy Principle 1 under New Zealand’s Privacy Act 2020 sets the ground rules for collecting personal information lawfully. This guide explains what

13 Jun 2026
Read more
Returns and Exchanges Policies for NZ Online Businesses

Returns and Exchanges Policies for NZ Online Businesses

A returns and exchanges policy can reduce disputes for NZ online businesses, but it needs to work with consumer law, fair trading rules, and privacy

13 Jun 2026
Read more
Privacy Disclosures for New Zealand Businesses: When and What to Disclose

Privacy Disclosures for New Zealand Businesses: When and What to Disclose

Privacy disclosures are not just a website footer issue. If your New Zealand business collects personal information through forms, apps, CCTV

11 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call