New Zealand businesses could soon face penalties for privacy breaches and cyber security failures. The Government’s new “Cyber Security Strategy”, recently released alongside a “Cyber Security Action Plan” (Action Plan), signals a fundamental shift in how privacy laws are enforced and serves as a reminder of the importance of implementing robust cyber security practices.
In addition, new proposals for critical infrastructure regulation could impose mandatory cyber security obligations on operators in key sectors, with significant penalties for non-compliance including personal liability for directors.
Cyber Security Strategy and Action Plan
The Strategy (here) sets out New Zealand's cyber security vision and priorities for 2026–2030, framed around four key “objectives”: understand, prevent and prepare, respond, and partner. The accompanying Action Plan (here) is more granular, outlining specific initiatives the government will pursue over the next two years to translate the objectives into regulatory and policy measures.
To summarise the four key objectives” for 2030:
- “Understand”: The Strategy aims to ensure government and industry are sharing threat intelligence effectively so that New Zealanders understand the cyber risks they face and know what practical steps to take to protect themselves.
The Action Plan refers to establishing a “single point for cyber incident reporting” to improve quality of data and make it easier to access advice, guidance and help in response and recovery from cyber incidents.
- “Prevent & Prepare”: Organisations across both public and private sectors will be expected to embed robust cyber security practices into their operations and supply chains. The paper notes that the Government Chief Digital Officer will be empowered to take “a more directive approach” to digital governance.
Interestingly, the Action Plan raises the need to ensure New Zealand can manage “quantum-resistant cryptographic material.” For context, this refers to encryption methods designed to withstand attacks from quantum computers, which are expected to eventually be capable of breaking many of the cryptographic systems currently used to secure sensitive data and communications. It also notes options to “incentivise the protection of personal information” such as a new “civil pecuniary penalty regime” under the Privacy Act. - “Respond”: The government will enhance its capability to detect and disrupt serious threats including cybercrime. The paper refers to “modernising our legislative frameworks” to account for the complexity and global nature of cyber threats, including to allow New Zealand law enforcement agencies to access digital evidence to effectively investigate cybercrime.
Similarly, the Action Plan states that the government will update legislative powers to enable New Zealand’s security sector agencies to use cyber capabilities and tools to advance our national security interests. It also notes a possible “new offence” targeted at people who view, possess, or disseminate personal information when they are aware it has been illegally obtained.
- “Partner”: The Strategy and Action Plan emphasise deeper collaboration and “targeted cooperation” between government and industry domestically, including active participation in international efforts to maintain a secure cyberspace.
The most eye-catching of the proposals is the suggested civil penalty regime under the Privacy Act. This would materially raise the stakes for privacy breaches or data protection failures and follows a period of active public commentary on the relatively limited enforcement consequences under the Privacy Act (triggered in part by the recent ManageMyHealth and MediMap data breaches).
Proposed critical infrastructure framework
Alongside the Strategy and Action Plan, the government has also published a discussion document consulting on a framework to enhance the cyber security of New Zealand’s critical infrastructure system (here).
The framework includes the following measures:
- Defining what counts as ‘critical infrastructure’ to clarify who is caught by mandatory requirements to enhance cyber security. The paper notes that this could focus on seven essential services: communications and data, defence, energy, finance, health, transport and water. Regulations would clarify the type and level of service provision that meets the definition of ‘critical infrastructure’.
- Building a shared understanding of interdependencies across the critical infrastructure system to minimise the risk and impact of cyber incidents. The paper considers imposing reporting requirements for “significant cyber incidents” (in short, an event that is likely to have serious impacts on the confidentiality, integrity or availability of information, or the delivery of essential services). The paper also notes that directors of critical infrastructure entities would be personally responsible for ensuring compliance with certain prescribed minimum requirements.
- Requiring critical infrastructure entities to develop, implement and maintain a risk management programme aligned with an internationally recognised cyber security framework.
The paper refers to various proposed “compliance tools”, including a range of criminal penalties. For the most serious breaches (e.g. negligently failing to meet minimum cyber security requirements) the penalties are NZ$5 million or 2% of annual turnover. Notably, the paper also proposes penalties for directors of up to NZ$500,000. We expect this will be an area of focus in submissions for many entities caught by the proposed regime.
Implications and next steps
For many New Zealand businesses, these proposals will require a fundamental reassessment of how cyber risk is governed, resourced, and reported. Businesses should reflect carefully on the package of announcements and focus on taking practical steps in preparation for the proposed changes. In particular, that should include:
- ensuring cyber considerations are embedded into enterprise risk frameworks;
- tightening controls around access management, encryption, and third-party suppliers; and
- ensuring incident response plans are tested and fit for purpose (so that reporting obligations can be managed efficiently if a data breach or other cyber attack occurs).
While the precise scope and timing of the reforms remain uncertain, the direction of travel is clear. Businesses should act now (including engaging constructively with the consultation, in the case of critical infrastructure entities) to ensure they are prepared when the new rules take effect.
If you have any questions about this article, or the impact of the proposed reforms for your business, please get in touch with the contacts listed or your usual Bell Gully adviser.
Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
