The Privacy Act 2020, which came into force on 1 December 2020, significantly strengthened New Zealand's data privacy framework. For businesses that suffer a data breach — through a cyber attack, accidental disclosure, or employee action — the Act creates mandatory notification obligations that can be both costly and reputationally damaging.
What is a "notifiable privacy breach"?
Not every data breach requires notification. The Privacy Act's threshold is a breach that: 1. Has caused serious harm to an individual, or 2. Is likely to cause serious harm to an individual
"Serious harm" includes significant financial loss, physical harm, significant reputational damage, or loss of employment or business opportunities resulting from the breach of the individual's privacy.
Breaches involving sensitive categories of information — health data, financial data, identity information — are more likely to meet the serious harm threshold.
Who must be notified?
When a notifiable breach occurs, the business must notify: 1. The Privacy Commissioner (at privacy.govt.nz) as soon as practicable 2. The affected individual(s), unless the Privacy Commissioner directs otherwise or notification would itself cause harm
The notification must include: what happened, what information was affected, what the business is doing in response, and what the individual can do to protect themselves.
What are the consequences of non-compliance?
Failure to notify a notifiable breach can result in: - Investigation by the Privacy Commissioner - A compliance notice requiring the business to take specific actions - A civil penalty of up to $10,000 for failing to comply with a compliance notice - Adverse publicity and reputational damage from a public Privacy Commissioner report - Increased regulatory scrutiny going forward
While the direct fine is capped at $10,000, the reputational and commercial consequences of a badly managed breach — particularly where notification was delayed or avoided — can far exceed this.
The practical cost of breach response
The obligation to notify creates direct costs that many businesses underestimate: - Legal review of whether the breach is notifiable ($2,000-$10,000+) - Drafting and sending notification letters to affected individuals - For large breaches: printing, postage, and call centre costs for recipient inquiries - Credit monitoring services for affected individuals (sometimes offered as remediation) - PR and communications management - IT forensic investigation to understand the scope of the breach
For a breach affecting 1,000 customers, notification and response costs can easily reach $50,000-$150,000 before any third-party liability is considered.
How cyber insurance addresses Privacy Act obligations
Cyber insurance is specifically designed to cover Privacy Act breach response costs. A well-structured cyber policy includes:
- •**Forensic investigation:** Determining what data was accessed, by whom, and for how long
- •**Legal assessment:** Advice on whether the breach is notifiable and the notification obligations
- •**Notification costs:** The cost of preparing and sending notifications to affected individuals and the Privacy Commissioner
- •**Credit monitoring:** Providing affected individuals with credit monitoring services as part of remediation
- •**Crisis communications:** PR management to handle media inquiries and public communication
- •**Regulatory response:** Legal support for responding to Privacy Commissioner investigation
Which businesses are most exposed?
Any business that holds personal information about customers or employees faces Privacy Act obligations on breach. Higher-risk sectors include: - Healthcare providers (health data is among the most sensitive) - Financial services businesses (financial data, account details) - Professional services firms (client information) - E-commerce businesses (payment and purchase data) - Any business with a substantial customer database
Practical steps
- 1.Conduct a data inventory — know what personal information your business holds and where
- 2.Implement a Privacy Act response plan — who does what when a breach is discovered
- 3.Train staff on identifying and escalating potential breaches
- 4.Review your cyber insurance to confirm it covers Privacy Act breach response costs
- 5.Know the Privacy Commissioner's reporting process — privacy.govt.nz
For businesses without cyber insurance, the Privacy Act creates a compelling argument for coverage. The notification obligations alone — which apply regardless of whether the breach was malicious or accidental — create costs that cyber insurance is specifically designed to address.