Privacy Act 2020 Cyber Breach Notification — What NZ Businesses Must Do, in Order

If a cyber incident causes (or is likely to cause) serious harm to one or more individuals, your business has obligations under the Privacy Act 2020 — notify the Office of the Privacy Commissioner (OPC) and notify the affected people. The deadlines are short, the test is judgement-based, and your cyber insurance — if you have it — pays for the legal advice, the notification logistics, and (in most policies) the regulatory defence. This guide walks the obligations in the order they actually arise during a breach. It is general information, not personalised legal or financial advice; for your specific incident, speak to a privacy lawyer and your insurer's incident-response team.

The statutory framework, in one paragraph

The Privacy Act 2020 (in force since 1 December 2020) requires NZ agencies to notify both the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a privacy breach that has caused, or is likely to cause, serious harm. The legislation is the Privacy Act 2020 sections 112-118. The Office of the Privacy Commissioner publishes the operational guidance at privacy.org.nz/responsibilities/privacy-breaches/notify-us. The notification tooling — including the breach notification form — is hosted by OPC at privacy.org.nz/notifications. Reading these primary sources should always take precedence over secondary summaries (including this one).

Step 1 — Confirm a privacy breach has occurred

A privacy breach under section 112 includes any unauthorised or accidental access, disclosure, alteration, loss, destruction of personal information, or any action that prevents an agency from accessing personal information temporarily or permanently. In cyber terms: ransomware encryption preventing access, exfiltration to an external attacker, an insider downloading customer data to a personal device, a misconfigured S3 bucket exposing records, a misdirected email containing a payroll file — all are privacy breaches if personal information is involved.

Step 2 — Assess whether it meets the "serious harm" threshold

Not every privacy breach is notifiable. The notification obligation triggers only when the breach causes, or is likely to cause, serious harm. Section 113 sets out the factors an agency must consider:

• The sensitivity of the information (health, financial, identity-document data weigh more)
• Whether the information is protected by security measures (encryption at rest, for example)
• The kind of harm that may result (identity theft, financial loss, family safety, reputational damage)
• Who has obtained or could obtain the information, and what they could do with it
• Whether the breach is contained, or ongoing, or recoverable

The OPC's notifiable-breach guidance includes a decision flow and case studies. If you're uncertain, OPC's stated position is that you should err toward notifying — under-notifying is the more common compliance failure.

Step 3 — Notify the Privacy Commissioner (as soon as practicable)

The Act doesn't impose a fixed clock — the phrase is "as soon as practicable" — but in practice, the OPC expects notifications within 72 hours of confirming the breach meets the serious-harm threshold. Use the OPC online notification form at privacy.org.nz/notifications. You'll be asked for the following information (have it ready before you start the form):

• When the breach happened and when you became aware of it
• The nature of the breach and how it occurred
• The type and approximate number of records affected
• What types of personal information were involved
• What harm could result and who is affected
• What steps you've taken to contain the breach and prevent recurrence
• Whether and how you intend to notify affected individuals

If forensic investigation is still in progress and the exact record count or attack vector is unknown, notify with what you have and update the OPC as you learn more — partial notification within the window is better than full notification outside it.

Step 4 — Notify affected individuals

Section 115 requires notification to affected individuals as soon as practicable, subject to limited exceptions (active law enforcement investigation, risk of further harm from notification, and a few statutory carve-outs). The notification to individuals must include:

• The fact that a breach has occurred
• The nature of the breach
• The kind of information involved
• What you've done in response
• What the individual can do to protect themselves (e.g., monitor accounts, change passwords, watch for phishing)
• How to contact you for more information
• That they can complain to the Privacy Commissioner if they believe the response is inadequate

The mechanics — letters, emails, SMS, call centre overflow, dedicated landing page — are exactly the cost line that cyber insurance is designed to absorb. Larger breaches frequently involve 5-6-figure notification spend on printing, postage, call-centre capacity, and credit-monitoring offered to affected people.

Step 5 — Where cyber insurance fits

A well-structured cyber policy responds at multiple points in the timeline above:

• Step 1 (incident triage): Forensic-investigation cover pays for an insurer-panel forensics firm to determine cause, scope, and remediation.
• Steps 2–3 (legal advice + OPC notification): Legal cover pays for a privacy lawyer to advise on the serious-harm test, draft the OPC notification, and engage with the Commissioner.
• Step 4 (individual notification): Notification-cost cover pays for the mechanics of reaching affected people — letters, call-centre capacity, credit monitoring.
• Step 5+ (regulatory defence): If the OPC opens an investigation or commences proceedings, regulatory-defence cover pays for the legal representation. Civil penalties (fines) under the Act are limited but ancillary costs (defence, remediation, customer remediation) frequently aren't.
• Step 6 (business interruption): If the breach was caused by a ransomware event that also took systems offline, business-interruption cover pays for lost profit and increased cost of working during the recovery window.

Crucially, most cyber policies require prior consent before you engage your own forensics firm or counsel — they expect you to use their panel. If you make those calls before notifying the insurer, the policy may decline coverage. The first call after Step 1 should always be to your broker (or the insurer's incident-response hotline if you have one), not to your IT firm.

Step 6 — Document everything

The OPC can ask for a written breach response history at any time during a subsequent investigation. CERT NZ's Critical Controls framework recommends a contemporaneous incident-response log — a simple time-stamped journal of decisions, communications, vendors engaged, and reasoning. This is also what insurers ask for at the proof-of-loss stage; keeping the log live during the incident saves weeks of reconstruction later.

Quick FAQ

Is there a fixed deadline for OPC notification?

The legal phrase is "as soon as practicable", not a fixed number of hours. The OPC's operational expectation is within ~72 hours of confirming the breach meets the serious-harm threshold. Partial notification with subsequent updates is better than late full notification.

What's the maximum penalty under the Privacy Act 2020?

The Act creates infringement-notice penalties up to NZ$10,000 per offence and the OPC can issue compliance notices. The reputational and customer-remediation costs almost always exceed the statutory penalty by an order of magnitude.

Does cyber insurance cover the fine itself?

Civil penalties are generally insurable in NZ (subject to the policy's regulatory-defence section terms) — but the more material cost is usually the defence costs, the notification spend, and the remediation/customer-care costs. Read the regulatory-defence wording in each quote you receive.

Primary sources cited in this guide

• Privacy Act 2020 — full text (legislation.govt.nz)
• OPC — Notifiable privacy breaches (privacy.org.nz)
• OPC — Online notification form (privacy.org.nz)
• CERT NZ — Critical Controls framework

Disclaimer: This article is general information, not personalised legal or financial advice. For your specific incident, speak to a privacy lawyer (Privacy Commissioner-approved practitioners listed at privacy.org.nz) and your insurer's incident-response team. Cyber Insurance Quotes NZ is operated by First Commercial Insurance Brokers Ltd (FSP748591), a Member Broker of Insurance Advisernet New Zealand Ltd. FCIB Disclosure Statement.