Reading time: 5 minutes

Storing and sharing your business’ data online is convenient and efficient. However, operating online can bring its own set of risks. So, the law imposes various rules on businesses that handle certain kinds of sensitive information online. If your business is the victim of a data breach, then it may be serious enough that there are various parties that you need to notify. If you do not, then there may be legal consequences. Therefore, this article will explain what happens when you do not report a notifiable data breach in New Zealand.

What Is a Data Breach?

The exact nature of a data breach can vary, but it generally entails a situation where something has compromised your data. These situations can include:

  • an unauthorised third party gaining access to your business’ data;
  • a data leak into an unsecured environment, such as the general Internet;
  • something preventing you from accessing your systems, like a DDoS attack;
  • unintended deletion or loss of your business’ data; or
  • an unauthorised disclosure of data.

As a result, the cause of data breaches can range from a cyberattack or password leakage to someone sending sensitive business information to an unintended recipient. Data breaches will range in intensity and in what effects they can have on your business. Often, what information the data breach is related to will determine the severity of the data breach. This fact is particularly true when a data breach involves information that you have legal obligations attached to, such as personal or contractual information. In those cases, a data breach can become an issue of privacy or confidentiality.

When Is a Data Breach Notifiable?

When a data breach involves such information, the law imposes certain responsibilities on the organisation that held that information. This fact is particularly true for personal information, which is any data that you can use to identify a person.

For example, if you collect and store customers’ contact details, such as their names and addresses, you are dealing with their personal information. Accordingly, you need to comply with the rules that the Privacy Act sets.

When you deal with personal data, one of your responsibilities is to report a data breach that involves any personal information if the breach is likely to cause (or has already caused) serious harm. You need to report this personal data breach to the Privacy Commission as soon as possible. You can do this using their NotifyUs tool. Serious harm can include:

  • physical harm or threats of violence;
  • financial fraud;
  • psychological or emotional harm; or
  • domestic violence.

For example, if your customers’ credit card details and other financial information are subject to a data breach, there is the potential for identity theft and other kinds of fraud. Therefore, this personal data breach is likely to cause serious harm, and you will need to notify the Privacy Commission and the affected customers.

Whether the data breach is serious enough to notify will depend on a variety of factors. The NotifyUs tool can help you work through these. Additionally, you will need to notify any affected individuals where appropriate. If a data breach involved any confidential contractual information, you will likely also need to notify any business partners that it may affect.

What Happens If I Do Not Report a Notifiable Data Breach?

If you do not report a notifiable data breach to the Privacy Commission, you can receive a fine of up to $10,000. However, in many situations, the Privacy Commission is not the only entity that you need to information when a data breach is serious enough. Depending on the nature of the breach, you may need to inform both business partners and your customers. Therefore, if you do not inform these people of a compromise in their information, you may be breaching other laws, such as:

  • directors’ duties;
  • fair trading law;
  • employment law; and
  • contractual obligations.

Note that if you deal with the personal information of EU residents, international laws such as the General Data Protection Regulation (GDPR) may apply to you. The GDPR has much heavier fines, so you need to make sure you know whether these laws cover your business.

Exceptions to Notification

There are no exceptions to your duty to notify the Privacy Commission of a notifiable data breach that involves personal information. However, in some cases, you may not need to notify the affected individual whose personal information was subject to the breach. These are cases when you believe that notification would:

  • put any person in danger;
  • disclose a trade secret;
  • harm the security or defence of New Zealand;
  • endanger the health of the affected individual; or
  • prevent the functioning of the legal aspects of any public sector entity.

Key Takeaways

If a data breach involves personal information and is likely to cause serious harm, you need to inform the Privacy Commission that it has occurred. Additionally, where a data breach involves confidential contractual information, you will need to inform other business parties at a much lower threshold than when it causes serious harm. If you would like more information or help with determining when a data breach is notifiable, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a notifiable data breach?

A data or privacy breach is notifiable when it is likely to cause (or has already caused) serious harm. In those cases, you need to notify both the Privacy Commission and affected people.

What happens if I do not report a notifiable data breach?

If you do not report a notifiable personal data breach, you can face fines under the Privacy Act for up to $10,00. Depending on the nature of the breach, you may face penalties under other laws as well.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards