Protect your business
Kia pare i tō pakihi i tētahi wāwāhinga raraunga

Protect your business from a data breach

Data breaches are easier to avoid than they are to fix. Here’s what you can do to reduce the likelihood of a breach.

What it is

A data breach is when any private information held by a business is released, usually publicly, either by accident or on purpose.

As a business owner, you are obligated by the Privacy Act to protect peoples' personal data.

Preventing privacy breaches – Office of the Privacy Commissioner

Learn more about data breaches

How to protect your business

  • Data collection

    Consider what information you really need to collect from clients and contacts.

    Your level of risk is based on the amount of data you have — the more you collect, the more valuable it is to an attacker. By only collecting what you need, you reduce your risk.

  • Data storage

    If you use a cloud service for data storage, check the provider can give you the services and protection you need. Ask them:

    • if they’ll back up your data for you, or if you have to do it yourself
    • if they offer the option to use 2FA (if not, see if there’s another provider who does)
    • if they’ll notify you of a security breach if it happens
    • what happens to your data if they’re bought out by another company, or if they go under
    • if they have a public security policy, and a way for you to report security problems to them — for example, through an abuse@ or security@ email address. If not, that should be a red flag for you.

    Ensure two-factor authentication (2FA) is set up on all data storage systems.

    Protect your business with two-factor authentication (2FA)

  • Encryption

    Make sure you’re encrypting any data you collect. This includes while it’s:

    • in transit – for example, collect data from your customers through an form
    • at rest – when it’s stored in a database.

    Keeping business data safe with encryption

  • Manage staff access

    Ensure data can only be accessed by those who need it – this reduces the risk of it being accidentally shared. Make it clear to employees who have access to data that they can only use it for work-related purposes.

    Principle of least privilege – CERT NZ

  • Create an incident response plan

    Develop a response plan for what to do if your business is affected by a data breach – or any other type of online security incident. Make sure your staff know to report any security breach to your IT person or team.

    Creating an incident response plan

To check if your details, or details from your organisation domain name have appeared in any other public data breaches, check out the 'Have I been pwned?' website.

Have I been pwned?

Get help

If your business has had a data breach:

  • disconnect the compromised system from the internet, but don’t turn it off. If you turn it off, you could lose evidence that will help you work out what happened
  • reset the passwords for any compromised accounts
  • report the breach. Under the Privacy Act 2020, if your business or organisation has a breach that is likely to cause anyone serious harm, you are legally required to notify the Privacy Commissioner and any affected persons as soon as practicable
  • be open and transparent with your customers. Notify anyone who could be affected immediately. Let them know:
    • what information was breached
    • what you’re doing to address the problem
    • how they can contact you if they have queries
    • when you’ve fixed the issue.

Report a breach to the Privacy Commissioner

Notification of a breach should be made to the Office of Privacy Commissioner no later than 72 hours after you become aware of a notifiable privacy breach.

Report a breach to the Privacy Commission – Office of the Privacy Commissioner