What it is
A data breach is when any private information held by a business is released, usually publicly, either by accident or on purpose.
Unfortunately you are viewing this website on an outdated browser which does not support the necessary features for us to provide an adequate experience.
Please switch to a modern browser such as latest version of Google Chrome, Mozilla Firefox, Apple Safari or Microsoft Edge.
Data breaches are easier to avoid than they are to fix. Here’s what you can do to reduce the likelihood of a breach.
A data breach is when any private information held by a business is released, usually publicly, either by accident or on purpose.
To check if your details, or details from your organisation domain name have appeared in any other public data breaches, check out the 'Have I been pwned?' website.
Have I been pwned?As a business owner, you are obligated by the Privacy Act to protect peoples' personal data.
Preventing privacy breaches – Office of the Privacy Commissioner
Consider what information you really need to collect from clients and contacts.
Your level of risk is based on the amount of data you have — the more you collect, the more valuable it is to an attacker. By only collecting what you need, you reduce your risk.
If you use a cloud service for data storage, check the provider can give you the services and protection you need. Ask them:
Ensure two-factor authentication (2FA) is set up on all data storage systems.
Protect your business with two-factor authentication (2FA)
Make sure you’re encrypting any data you collect. This includes while it’s:
Keeping business data safe with encryption
Ensure data can only be accessed by those who need it – this reduces the risk of it being accidentally shared. Make it clear to employees who have access to data that they can only use it for work-related purposes.
Principle of least privilege – CERT NZ
Develop a response plan for what to do if your business is affected by a data breach – or any other type of online security incident. Make sure your staff know to report any security breach to your IT person or team.
Creating an incident response plan
If your business has had a data breach:
Notification of a breach should be made to the Office of Privacy Commissioner no later than 72 hours after you become aware of a notifiable privacy breach.
Report a breach to the Privacy Commission – Office of the Privacy Commissioner