7 Apr 2025
How to appropriately respond to a cyberattack that results in a privacy breach.
Cybercrime is an ever-present threat in today’s increasingly online society, and one of the more damaging issues arising from cyberattacks is privacy breaches. Not only can these attacks have financial and legal implications, they can also harm your organisation’s reputation and potentially reduce client trust. Accordingly, engineering firms should consider what actions they may need to take in the event of a cyber incident to adhere to any legal obligations and to prevent reputational issues.
Operating an engineering firm inevitably involves storing client data such as names, contact details, addresses or other possibly sensitive information. This gives rise to certain obligations under the Privacy Act 2020 and potentially any internal privacy policies. It is important to be mindful of these obligations so you can manage and respond to any potential privacy breaches appropriately.
In the unfortunate event of a cyber-attack, your first step should be to identify what data has potentially been compromised and the extent of the breach, while taking any possible steps to limit its impact. Questions to consider include whether personal information has been compromised and how many people are affected.
The next step is to assess the severity of the breach. Section 114 of the Privacy Act 2020 dictates that you must report any notifiable privacy breaches to the Office of the Privacy Commissioner (OPC). Notifiable privacy breaches are ones that are likely to cause serious harm. This may include situations where the exposure of personal information could cause safety concerns, financial harm or emotional harm for an individual. Other relevant factors to consider are any steps that have been taken to mitigate the risk of harm, the sensitivity of the information and the potential recipients of the information. It is probably reasonable to conclude that a breach resulting from a cyber-attack is likely to cause serious harm as the information has been accessed unlawfully. However, you can consult the OPC website’s “Privacy breach self-assessment” tool to determine whether a breach should be reported.
Additionally, you may need to consider whether other third parties should be informed of the breach, such as credit card companies, employee representatives or the Police. Internal privacy policies should also be consulted to ascertain any further obligations.
Acting quickly is important – this will give you the best chance at limiting the impact of a breach. The OPC expects notifiable privacy breaches to be reported within 72 hours of the incident. Failure to notify the OPC of a notifiable privacy breach is an offence under section 118 of the Privacy Act with a maximum fine of $10,000. Additionally, an inadequate response may open you up to liability if an impacted individual chooses to pursue a claim at the Human Rights Review Tribunal. If your organisation is unsure whether a breach is worth notifying, or you have limited information to hand, it might be best to report. The OPC will assess whether further action is required and can receive new information as your organisation establishes the situation.
Unless an exception applies under the Privacy Act, affected individuals will also need to be made aware of any notifiable privacy breach as soon as reasonably practicable, through direct contact or public notice. Not only can this be a legal obligation, but clear and honest communication with your clients will allow them to take appropriate steps to mitigate potential harm from the breach and will help to maintain client trust.
In the aftermath of a cyber-attack, an organisation should reflect on the incident. Identify what might have led to it, and consider how further cyber incidents or privacy breaches could be prevented. This may include increasing cybersecurity measures, reviewing any privacy policies in place, implementing new procedures or increasing staff training on cybersecurity matters.
Engineering firms should consider what measures they are taking to prevent cyber-attacks and what plans are in place if one occurs. A quick, organised response will mitigate financial, reputational and legal consequences.
Kate Kerrigan is a Legal Advisor at Te Ao Rangahau.
This article was first published in the March 2025 issue of EG magazine.
