Data breaches happen often. Businesses and organisations can lose or leak personal information through complacency, inadequate security, poor procedures or rare accidents.
This new section on our website is designed to be a comprehensive resource to help you and your business or organisation with answers and examples for when you have to manage a data breach.
Data breaches can range from the loss of one person’s information to the loss of hundreds of thousands of records. The cause of a breach can be accidental or through the deliberate actions of others.
It is vital to any organisation’s reputation and its relationship with the people who trust it with their information that it does everything it can to prevent a data breach from happening.
But when a data breach occurs, it is important to do everything it can to minimise the harm that it might cause to the individuals whose personal information has been lost, and to your organisation.
If you have become aware that your agency has been involved in a data breach (personal information has been lost or accidentally disclosed), there are four key steps for you to work through. Read more ...
While it’s not compulsory to report a data breach, it’s a good idea to be open about what’s happened and the steps you’re taking to fix it. Read more ...
Act quickly and don’t delay. Send a follow-up email to the person or organisation that has been mistakenly sent your email asking them not to open it and delete it as soon as possible. Read more ...
If you have more questions about data breaches and other privacy-related topics, try our AskUs resource. If you have a question and AskUs doesn't answer it, let us know.
Or use our Data Safety Toolkit
Our Data Safety Toolkit provides tips to help organisations prevent common mistakes that lead to data breaches, and advises what to do when a breach happens.
How to respond to data breaches - four key steps:
Recognising types of data breaches and ways to prevent them:
Read the full text of our Data Safety Toolkit.
We publish blog posts (including our Breach Case series), tips, case notes and media releases on data breaches. Below are some examples.
8 February 2017: Breach Case 1: Name your documents clearly: It is so easy to send the wrong attachment with an email, especially if the documents you are selecting to attach are not clearly and distinctly named. We see this type of breach fairly regularly so we thought we’d highlight it in this post. Read more …
20 March 2017: Breach Case 2: Don’t bite when a phisher calls: A recent data breach involved a deliberate email phishing* attack on an industry organisation. The email purported to come from the chief executive and requested a copy of the membership list (names and email addresses). Read more …
7 April 2017: Breach Case 3: Catches win matches: A recent data breach provided an example of how it is sometimes possible to catch a breach as it is happening and avert potential harm. Read more ...
9 June 2017: Breach Case 4: Testing with real data: Sometimes it seems a good idea to use real production data in a test environment. Security becomes more important. Read more ...
4 August 2017: Breach Case 5: Taking client files offsite: You keep your home safe, don’t you? So there should be no problem taking some work notes home... Read more ...
29 November 2017: Breach Case 6: Reusing and recycling: Reusing paper that has been printed on only one side can be environmentally friendly and saves costs. But this reuse is not appropriate when dealing with personal information. Read more ...
5 April 2018: Breach Case 7: Rubbishing privacy: A recent data breach incident provided an example of how your responsibility to protect personal information does not end when you put the rubbish out for collection. Read more ...
Case note 248601  NZ PrivCmr 4: Medical practice mitigates future harm after data breach
A doctor working in a suburban medical practice had his car broken into and a bag stolen. The bag contained a USB stick with the personal information of a number of patients, including their names and details of their prescribed drugs and medical diagnosis. Read more ...
Case Note 211257  NZPrivCmr 16: Several people complain that a government department lost their personal information
A staff member from a government department dropped a file in an Auckland street. The file contained a list with personal information about a large number of individuals. The information was subsequently passed to media outlets. Read more ..
NZ Doctor series - Privacy matters (#44): Don’t dig a bigger hole
A doctor closed the doors of his practice after years of treating patients, and was left with a substantial amount of information to dispose of. Instead of shredding the documents or arranging for some other type of secure destruction, the doctor decided he would bury the records on a beach. The records were soon uncovered by the tides, littering that part of the coastline. Read more ...
Privacy Commissioner monitoring Yahoo hack (September 2016)
The Privacy Commissioner is monitoring the Yahoo hack that compromised up to 500 million users’ accounts. The hack affects a small portion of the 825,000 email accounts that Spark provides to users through its partnership with Yahoo. Read more ...