Why?

• Data breaches and cyber-attacks continue to increase in New Zealand, in both quantity and scope. Notable recent local incidents include:
  • In November 2022, a ransomware attack on IT service provider, Mercury IT affected multiple organisations, exposing a variety of sensitive and confidential information, including health data. The stolen data was posted for sale on the dark web by the cyber-criminals. Two Crown agencies obtained an urgent injunction preventing unknown defendants (ie the world at large) from accessing, using, storing or otherwise engaging with the stolen data. 
  • March 2023 saw New Zealand’s largest data breach to date, the result of a cyber-attack on Latitude Financial, which affected around 14 million customers across Australia and New Zealand. The breach is the subject of regulatory investigations by the NZ Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner, and a potential class action by affected customers is being investigated.
• We are starting to see a corresponding increase in litigation in the following areas:
  • Regulatory investigations: The OPC has stated that it is moving from being reactive and complaints-driven to being proactive and risk-based. In particular, the OPC has shown an increasing willingness to launch formal investigations and take enforcement action against entities subject to data breaches where required. An example is the joint investigation the OPC has launched with the Australian regulator, in relation to the Latitude breach.
  • Increased regulatory powers may be coming: At the National Cyber Security Summit in March 2024, the Privacy Commissioner bemoaned the fact that the maximum fine his Office could issue to an organisation for not adhering to a compliance order is $10,000, while the maximum fine for serious interference with privacy in Australia is $50 million. Noting that “we live in dynamic times with significant technological advancements, yet we’re operating on a Privacy Act that is based on policies agreed in 2013”, the Commissioner recommended the introduction of a civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves. He also proposed a set of specific amendments to make the Act fit-for-purpose in the digital age.
  • Urgent Injunctive relief: Many data breaches involve extraction/copying of personal and sensitive data, the kind of information that could cause individuals considerable distress and harm if disclosed without their consent. In these circumstances, urgent injunction proceedings of the sort discussed above, which prevent access, disclosure and use of the information, are being obtained to prevent escalation of harm. The OPC has described these injunctions as a valuable tool in organisations’ data breach toolkits.
  • Class actions: A number of large class actions are currently underway in Australia by individuals affected by cyber-attacks. These include actions relating to Optus (affecting up to 10 million current or former customers), and Medibank (affecting 9.7 million current and former customers). The claims are based on various grounds including breach of contract and negligence by the organisations holding the data. We expect to see this trend replicated in New Zealand, in light of the Supreme Court’s recent confirmation that class actions can proceed on an opt-out basis (meaning that all eligible claimants are part of the class by default) and the increasing availability and use of third-party litigation funding. 

What it means for you 

New Zealand businesses ignore the ever-increasing threat of data breaches (and related lawsuits) at their peril. Prevention is the best strategy, but it is also important to plan for the worst. Statistics suggest that not enough New Zealand businesses are doing so. According to the Kordia New Zealand Business Cyber Security Report 2023 released in March 2024, while 55 % of business with 100 or more employees have suffered a cyber-attack or incident in the last year, one in five businesses still have no plan to deal with a cyber-attack. 

We recommend implementation and regular review of the following steps:

• Regularly conduct privacy health checks to ensure organisations are fully compliant with the Privacy Act 2020. As part of this, consider your data retention policy and dispose of personal information that you don’t need. 
• Ensure that businesses have adequate cyber-security systems and regularly review them, and your data holdings, to ensure that they remain fit for purpose.
• Check your service provider contracts. While an organisation may have adopted robust data security measures, they can still be vulnerable to data breaches where their data is shared with third parties, including service providers. It is important to ensure that contracts with these third parties address how your data will be protected and what you expect the service provider to do if a breach occurs (this should always include requiring the service provider to notify any breach as soon as practicable). We provide further advice on these types of contractual measures here.
• Develop a breach response plan which addresses urgent required containment and response steps (including people who need to be contacted), notification obligations and mitigation measures.

Review and understand any cyber insurance policy you have, as these can provide emergency support in times of a breach, and assist to protect you against the risks to your business.

Get in touch

For more information please contact our privacy and data experts below.