Mandatory Breach Notification Under the Privacy Act 2020
The Privacy Act 2020 introduced mandatory breach notification obligations for all businesses operating in New Zealand. Under the Act, if your organisation experiences a privacy breach that is likely to cause serious harm to affected individuals, you must notify both the Office of the Privacy Commissioner and the affected individuals as soon as practicable.
This is a significant departure from the previous voluntary notification regime, and it has material financial consequences for businesses that experience data breaches. Understanding exactly what the notification obligation requires — and what it costs — is essential for any business holding personal information.
What Triggers Mandatory Notification?
Not every privacy breach requires notification. The obligation is triggered when a breach meets the "serious harm" threshold. Factors the Privacy Commissioner uses to assess serious harm include: the sensitivity of the information involved, whether the information could be used to harm the affected person (financial loss, physical harm, discrimination, humiliation), the number of people affected, whether the information has been or is likely to be misused, and the vulnerability of affected individuals.
In practice, most cyber-enabled data breaches — particularly those involving financial data, health information, identification documents or information about vulnerable individuals — will meet the serious harm threshold and require notification.
The Notification Process: Step by Step
When a notifiable breach occurs, the Privacy Commissioner must be notified as soon as practicable — this typically means within a few days of determining that the breach is notifiable, not weeks. Simultaneously, affected individuals must be notified in a way that is reasonably likely to reach them. The notification must include: details of what happened, what information was involved, what steps the organisation is taking, and how affected individuals can make a complaint or obtain further information.
If a large number of individuals are affected, or if direct notification is impractical, alternative notification methods — such as public notice — may be required. The Privacy Commissioner has published guidance on notification methods and can provide advice in specific cases.
What Does Breach Notification Actually Cost?
The cost of a mandatory breach notification exercise depends on the size and nature of the breach. For a small business with a few hundred affected customers, costs might include legal advice ($5,000–$15,000), notification letter drafting and distribution ($2,000–$5,000), a dedicated response email inbox ($500–$1,000), and Privacy Commissioner engagement ($2,000–$5,000). Total: $10,000–$26,000 for a relatively contained incident.
For larger breaches — thousands of affected individuals, sensitive data types, potential for significant individual harm — costs escalate rapidly. A major breach affecting 10,000+ individuals might require: specialist cyber breach legal counsel ($50,000+), call centre support for affected individuals ($20,000–$80,000), credit monitoring services ($15–$25 per individual per year), crisis communications ($20,000–$50,000), and ongoing Privacy Commissioner engagement ($10,000–$30,000). Total: $100,000–$200,000+ is not unusual for large-scale notification exercises.
Penalties for Failing to Notify
Failure to notify the Privacy Commissioner of a notifiable breach is an offence under the Privacy Act 2020. The current maximum fine for this offence is $10,000. While this figure may seem modest, the Privacy Commissioner also has powers to name organisations that have failed to meet their obligations — with the reputational consequences typically far exceeding the fine itself. The Government is currently considering civil penalty reforms that could significantly increase financial penalties for serious privacy breaches.
How Cyber Insurance Covers Notification Costs
A cyber insurance policy covers all of the costs described above under its "data breach response" or "privacy event" coverage section. This typically includes: legal advice on notification obligations, notification drafting and distribution, call centre and affected individual support, credit monitoring, Privacy Commissioner engagement, and crisis communications. These costs are covered from the first dollar spent, without a deductible in many policies.
The value of this cover extends beyond the financial: the insurer's specialist breach response team includes experienced privacy lawyers and breach coaches who have managed dozens of NZ privacy breach notifications. Their expertise dramatically speeds up the notification process and reduces the risk of regulatory complications arising from a poorly managed notification.
About the Author
CyberCover Team is part of the CyberCover team — dedicated to making cyber insurance transparent and accessible for NZ businesses of all sizes.