NZ doesn’t take data breaches nearly as seriously as it should

2026-02-19 - 16:06

Comment: The Manage My Health data breach in December was one of the largest cyber security incidents to affect the New Zealand public to date, but it wasn’t the first and it certainly won’t be the last. The incident exposed the psychiatric diagnoses, sexual health records, and domestic violence histories of more than 120,000 New Zealanders. Two separate government reviews into the incident have now been launched – one by the Ministry of Health and one by the Privacy Commissioner. While we wait on public details, it’s worth zooming out and thinking about the role government can play in preventing these incidents in the future. It’s true at this point that our society is digitally dependent. It’s also true that the systems handling our most sensitive data on a day-to-day basis are largely managed, maintained, and secured (or not) by private enterprise. These companies are trusted to handle our information with care. When done right, cyber security is an exercise in risk management. In a world of inherent uncertainty and rapid technological change, organisations monitor and assess the risks facing their systems, weigh the likelihood of various incidents happening, and calculate the impacts of potential breaches. Armed with this knowledge, they allocate resources to mitigate their most pressing concerns. This practice is often more art than science. Companies may rely on finger-in-the-air assessments of incident likelihoods and consequences, have limited understanding of the cyber threat landscape, be blind to the always evolving vulnerability status of their own technology stacks and organisational processes, or outsource to third parties without conducting security due diligence. It would be a surprise to no one that companies are managing your data for their own sake. Harm to an individual as a result of a security breach, such as identity theft or a loss of privacy, only matters to the extent it threatens the company’s bottom line. The true cost of user harm remains an externality, while the reputational consequences of that harm instead become the measurement used to justify investment in security. While public agencies have numerous statutory requirements regarding their approaches to handling sensitive public data (e.g. adherence to official risk management processes, the Protective Security Requirements and the requirements of the New Zealand Information Security Manual), private companies handling the same data do not have such strict obligations. As we push more of our data into corporate hands, we need to do more than just trust reputational consequences are enough to incentivise security spending – especially where public safety is on the line. As a society, we need to be influencing private-sector security decision-making before incidents like Manage My Health happen. To change the internal calculations of cyber security governance, we need a regulatory environment that makes security a necessity for those handling our most sensitive data. The government’s role in private-sector cyber security has so far been mostly reactive. While the National Cyber Security Centre (New Zealand’s central agency responsible for cyber security) provides excellent advice, incident response assistance, and technical threat detection and disruption services to the public, its role as a service provider rather than a regulator means it can do little to influence private-sector cyber security decision-making. This doesn’t mean we have to reinvent the wheel. Across the Tasman, Australia’s Security of Critical Infrastructure Act requires critical infrastructure providers to follow a government-defined risk-management program. The European Union goes further with its NIS2 Directive, introducing personal liability for executive-level security negligence. While these examples mainly focus on ‘traditional’ critical infrastructure sectors, they could still provide a foundation for regulating companies that store New Zealanders’ most sensitive data en masse. When an organisation holds the health records of millions, it is operating nationally significant infrastructure and its security governance should be regulated as such. Outside of entirely new governance mechanisms, the most powerful tool New Zealand has when it comes to influencing private-sector cyber security investment is the Privacy Act 2020. Specifically, Principle 5 requires that personal information is protected by “security safeguards as are reasonable in the circumstances”. This principle should be a mechanism to incentivise increased investment in security for the private sector, but the maximum fine for offences under the Act is a mere $10,000. It also seems legally murky whether a gross breach of Principle 5 would even constitute a fineable offence, with the ‘Offences‘ section of the Act covering only obstruction, failures to comply with the commissioner’s lawful requirements, providing false information, and acts of impersonation or document destruction. In Australia, penalties for breaches of privacy law were increased in 2022 to either AUD$50 million, three times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period, whichever is higher. Similarly, a breach of Europe’s General Data Protection Regulation sees a maximum fine of €20 million or 4 percent of annual global turnover – again, whichever is higher. Our $10,000 fine is likely only to sway the security investment decisions of the smallest companies and until our laws have some teeth, New Zealanders will continue to pay the price for cyber security mismanagement. Privacy Commissioner Michael Webster recently said it best: “If New Zealand wants to be serious about privacy, then organisations need to be held accountable for their failings in handling personal information.” Amending the Privacy Act and empowering the Privacy Commissioner to do their job is a logical first step to ensuring that societal data protection is taken seriously and approached proactively, but it shouldn’t be the last.