Cyber incidents are increasing dramatically and – with personal liability on the horizon for directors – you should act now to ensure data breach response plans are robust, modernised for AI, and stress-tested.
A staggering 59% of New Zealand businesses experienced a cyber incident in the 12 months ending February 2026. The number of malicious cyber events disrupted by New Zealand’s National Cyber Security Centre rose from 10.3 million in 2023/24 to 473.4 million in 2025/26.
Our legal experts understand what a robust data breach response plan should look like and have outlined practical tips and considerations, including plans that can be tailored to your business.
What is generative AI increasing the risks of?
- Unintentional data breach: for example, ‘shadow AI’ where your employees input personal information into unauthorised AI models (an everyday reality for most businesses).
- Intentional data breach: for example, hackers using new methods like ‘prompt injections’ and supercharging traditional methods like phishing and identification of existing security weaknesses.
Tools are available to mitigate these risks – as we outlined in our previous article on privacy and AI in the workplace – however it is also crucial to develop a modernised Data Breach Response Plan.
Keys for developing a plan
The adage is true here – preparation is key. Making decisions on-the-fly during a data breach is both stressful and strategically unwise. You should approach the issue the same way the All Blacks approach an important test match:
- develop a clear plan
- identify the key leaders on your data response team
- identify back-up leaders in-case the others are away or have pulled a hammy and cannot get there in-time
- stress-test the plan.
Several individuals presented at Privacy Week seminars recently, imparting some of the tips referenced below.
Tips for developing or improving your plan:
- Identify what constitutes a breach warranting intervention. This ranges from a full-scale hack to inadvertent employee disclosure.
- For each scenario, obtain legal advice in advance on whether that type of data breach is notifiable plus the necessary legal steps.. Legal advice will need to be obtained for the specific fact-scenario on the day, but preliminary advice means you will not be starting from scratch under high stress.
- Map contractual notification obligations in your supply chain.
- Pre-draft communications to impacted parties.
- Consider whether a data breach will engage other jurisdictional requirements and ensure they are covered. For example, a risk register for the GDPR and slightly different notification thresholds.
- Run simulations with your data breach response team, learn and adjust.
Building your plan
Once the data breaches are mapped out, plans should set out four steps to take on discovery.
In each case, remember to preserve evidence including logs, prompts, system images, and rationale for decisions. Forensic preservation is critical both for a mandatory Privacy Act assessment and for explanation and mitigation regarding impacted parties.
Step 1: Containment. Stop the breach continuing, for example, revoke credentials, recall emails, take systems offline, or – in the case of an AI tool – request deletion from the vendor. Engaging cybersecurity experts in advance will boost chances of identifying and resolving breaches.
Step 2: Assessment. Obtain legal advice. Document the information, the people affected, sensitivity, encryption status, and immediate and downstream risk. Do not speculate or assume. Act only on the facts in front of you.
Step 3: notification:
- Privacy Commissioner: the Privacy Commissioner expects incremental notification in the event of uncertainty. One benefit is that a representative from the Privacy Commissioner will generally provide support.
- Affected Individuals: offer concrete mitigation to affected individuals, such as credit monitoring, password resets and identity-theft support.
- Cross-notification: identify notification triggers in parallel, for example, insurers, the National Cyber Security Centre, sector regulators, customers, suppliers, processors, and law enforcement if a criminal offence is suspected.
- Cross-border issues: where affected individuals are overseas or the data was processed offshore, foreign breach-notification laws may apply – remembering that timelines must be coordinated carefully.
- Communications discipline: Avoid speculation, do not minimise, and do not name third-party recipients except as the Privacy Act permits. Coordinate internal and external messaging through one channel.
Step 4: Post-incident review: document root cause, update the AI policy, retrain staff, and adjust controls. The review record is important evidence of compliance with IPP 5 in section 22 of the Privacy Act 2020.
Lastly, you should consider seeking an injunction in the High Court to prevent other parties publishing personal information obtained from malicious actors. The High Court granted injunctions of this nature recently for Langley Twigg Law, Neighbourly Ltd, and ManageMyHealth.
Please contact us for help developing and refining plans and building a suite of assessment tools and draft communications, or for filing for injunctive relief. In parallel, we recommend engaging early with cybersecurity experts such as Aura Information Security.
