Breach Of Confidentiality In New Zealand: Remedies After A Privacy Breach

Discovering a privacy breach in your business can feel like an instant loss of control - customer details are out, an employee has forwarded sensitive files, or a contractor has taken your client list to a competitor.

For small businesses, it’s not just a compliance headache. A privacy breach can quickly become a commercial problem, a reputational issue, and (in some cases) a legal dispute that costs real time and money.

The good news is you’re not powerless. New Zealand law can give businesses practical options to respond, contain the damage, and pursue legal remedies where appropriate - but the right approach depends on what happened, whose information was involved, and how the breach occurred.

This article is general information only and not legal advice. If you’re operating in Australia, different laws may apply. Consider getting advice on your specific situation.

Below, we break down what can count as a privacy breach or breach of confidentiality in New Zealand, what the law generally expects, and the key legal remedies businesses may use to protect themselves.

What Counts As A Privacy Breach Or Breach Of Confidentiality In NZ?

People often use the terms “privacy breach” and “breach of confidentiality” interchangeably, but in practice they can mean different things - and the legal consequences can be different too.

Privacy Breach (Usually About Personal Information)

A privacy breach generally involves personal information. In a business context, that might include information about:

• Customers (names, contact details, purchase history, addresses)
• Employees (payroll info, performance issues, medical details)
• Clients/patients (especially in health or professional services)
• Website users (IP addresses, account data, behavioural data)

Under the Privacy Act 2020, a privacy breach can happen when personal information is:

• accessed without authorisation (e.g. hacked account, staff snooping)
• disclosed without authority (e.g. emailed to the wrong person, leaked externally)
• lost (e.g. stolen laptop, lost USB with customer database)
• destroyed inappropriately (e.g. records deleted when they should be retained)

If you collect personal information, it helps to have a clear Privacy Policy and internal procedures that match what you actually do day-to-day (not just what a template says).

Breach Of Confidentiality (Often About Business Information)

A breach of confidentiality is broader. It can involve personal information, but it often involves confidential business information, such as:

• client lists and pricing
• supplier terms and margins
• financial reports and forecasts
• trade secrets, systems, recipes, methods, software logic
• marketing plans and sales pipelines

This sort of issue commonly comes up when an employee resigns, a contractor relationship ends, or a commercial partnership breaks down.

To reduce the risk from day one, businesses often put confidentiality obligations into:

• employment agreements and workplace policies
• contractor agreements
• a tailored Non-Disclosure Agreement (NDA) for sensitive discussions, pitches, or collaborations

Why Privacy Breaches Hit Small Businesses Hard (And What’s At Stake)

When you’re running a small business, a privacy breach doesn’t sit neatly in one box. It tends to create a chain reaction across operations, customers, and cashflow.

Here are some common risks we see after a breach of privacy or confidentiality:

• Loss of customer trust - especially where financial or identity data is involved
• Direct commercial harm - like a competitor receiving your pricing, pipeline, or client list
• Regulatory stress - dealing with the Office of the Privacy Commissioner (and understanding whether you must notify)
• Employment issues - a staff member may have acted intentionally, accidentally, or out of poor training
• Contract disputes - if a supplier, contractor, or partner caused (or contributed to) the breach
• Operational disruption - locking down systems, investigating access logs, pausing campaigns or client work

Even where the breach seems “small”, it can become serious if the information is sensitive (for example, health information or financial details) or if the breach exposes a pattern of weak security practices.

The main goal is to respond in a way that (1) contains the damage, (2) meets your legal obligations, and (3) puts you in the best position if you need to enforce your rights later.

What NZ Law Says About Privacy Breaches And Confidentiality (The Practical Version)

You don’t need to be a privacy specialist to run a compliant business in New Zealand - but you do need to know the main legal “buckets” that can apply when something goes wrong.

The Privacy Act 2020 (Core Privacy Breach Framework)

The Privacy Act 2020 sets rules for how agencies (including most businesses) must collect, use, store and disclose personal information.

Two practical obligations that matter a lot when a privacy breach happens are:

• Security: you’re expected to take reasonable steps to protect personal information from loss, unauthorised access, use, modification, or disclosure.
• Notifiable breaches: some privacy breaches must be reported (including to affected individuals) if they are likely to cause serious harm.

If you’re dealing with a possible notifiable privacy breach, it can help to have a documented data breach response plan so you’re not trying to make critical decisions under pressure.

Employment Obligations (Confidentiality And Staff Handling Personal Data)

Many privacy breaches happen internally - not because your business is careless, but because someone makes a mistake, misunderstands what they can share, or doesn’t appreciate how sensitive certain information is.

This is where your employment documentation and internal rules matter. If staff handle customer or employee information, clear workplace policies and regular training can help set expectations, reduce the risk of “accidental” disclosures, and support you if you need to take disciplinary steps.

Depending on the scenario, there may also be implied confidentiality obligations in employment relationships - but relying on “implied” terms can be risky. If the information is truly business-critical, it’s best to have express confidentiality obligations in writing.

Contracts And Confidential Information (Employees, Contractors, Partners)

Where the breach involves business information (like pricing, strategies, client lists, or systems), your remedies often depend on your contracts.

Strong contracts should clarify things like:

• what counts as “confidential information” (and what doesn’t)
• how information can be used (and by whom)
• security requirements (passwords, encryption, access limitations)
• return/deletion obligations at the end of the relationship
• what happens if there’s a breach (for example, termination rights and any agreed dispute process)

If the contract is unclear, outdated, or silent on confidentiality, you may still have options - but enforcement is usually slower, more contested, and more fact-dependent.

What Should You Do Immediately After A Privacy Breach?

When a privacy breach happens, your first 24–72 hours matter. The steps you take early can reduce harm, protect your evidence, and help you meet Privacy Act 2020 expectations.

Here’s a practical response checklist many small businesses follow.

1. Contain The Breach (Stop The Bleeding)

• Disable compromised accounts and change passwords
• Revoke access for users who don’t need it
• Recover misdirected emails or documents (where possible)
• Secure physical records (lock filing cabinets, restrict office access)
• Preserve system logs and access records

Try not to “clean up” systems in a way that destroys evidence. You can contain the breach while still keeping records of what happened.

2. Work Out What Information Was Involved

To assess legal risk, you need to know:

• Was personal information involved (customer/employee data)?
• Was it sensitive personal information (health, financial, identification data)?
• How many people are affected?
• Who received it (unknown third party vs trusted recipient)?
• Is the information still accessible online or in someone’s possession?

3. Assess Whether It’s A “Notifiable” Privacy Breach

Some breaches must be notified to the Office of the Privacy Commissioner and affected individuals if they’re likely to cause serious harm.

What counts as “serious harm” depends on context - including the type of information, the person affected, what protections were in place (for example, encryption), and what could realistically be done with the information.

If you’re preparing notifications, be careful to communicate clearly without guessing, overstating what you know, or sharing unnecessary personal information in the notification itself.

4. Communicate Carefully (Internally And Externally)

This is where businesses can unintentionally make things worse. In the rush to respond, it’s easy to send an email that:

• admits liability before the facts are confirmed
• blames a staff member prematurely (creating employment risk)
• creates inconsistent messaging to customers
• misstates what information was involved

It’s often worth getting legal input before sending a broad customer email or public statement, especially if there’s a high risk of complaints or commercial fallout.

5. Fix The Root Cause (So It Doesn’t Happen Again)

Containment is urgent, but prevention is what protects you long-term. Depending on what caused the breach, this might include:

• updating access permissions and admin controls
• adding MFA (multi-factor authentication)
• reviewing staff training and onboarding
• updating contracts with vendors who store or process personal info
• implementing a regular privacy and security review cycle

Legal Remedies For Businesses After A Breach Of Confidentiality Or Privacy Breach

Your legal remedies depend on whether the issue is mainly a privacy breach (personal information), a breach of confidentiality (business information), or both.

Often, it’s a mix - for example, an employee takes a customer list (business asset) which contains personal information (privacy issue).

1. Enforce Contractual Rights (Where You Have Them)

If the person who caused the breach is an employee, contractor, supplier, or business partner, your contract may give you rights to act. Common contractual steps can include:

• Requesting return or deletion of confidential information
• Seeking written confirmation that copies haven’t been retained
• Relying on indemnities (where your contract includes them and they apply)
• Exercising termination rights (where the contract allows and the circumstances justify it)

Where documentation is unclear or you’re unsure what you can enforce, getting a contract review can help you understand your position before you escalate the dispute.

2. Seek An Injunction (To Stop Further Use Or Disclosure)

If confidential information is at risk of being used or shared (for example, a competitor has your files), one of the most effective remedies can be seeking an injunction.

An injunction is a court order that can require someone to stop doing something - such as using, publishing, or disclosing confidential information. This can be especially important where damages (money) won’t truly fix the harm, because once confidentiality is lost it may not be reversible.

Injunctions can be complex, time-sensitive, and evidence-heavy - and whether you can obtain one will depend on the facts - so early legal advice is usually critical if you think you need urgent relief.

3. Claim Damages Or Compensation

Depending on the facts and the legal basis of your claim, you may be able to seek damages for losses caused by the breach. For businesses, that could include:

• lost revenue tied to client poaching or unfair competition
• reasonable costs to investigate and remediate the breach
• contractual losses (for example, if you breach obligations to a third party because data was exposed)

In practice, whether damages are realistic often depends on how clearly you can prove causation and quantify loss. Some types of loss (including reputational impact) can be difficult to measure and may not be recoverable in every situation.

4. Employment Action (If The Breach Was Caused By Staff)

If the breach was caused by an employee, you may need to manage it as both a privacy issue and an employment issue.

This could involve:

• a formal investigation process
• disciplinary action (where justified and procedurally fair)
• updating training and internal rules
• reviewing your employment agreements and policies for gaps

It’s important to follow a fair process, even if you’re confident the employee did the wrong thing - otherwise you risk an employment claim on top of the original breach.

5. Complaints And Regulatory Pathways Under The Privacy Act 2020

If you’re responding to a breach of privacy, the affected person may complain to the Office of the Privacy Commissioner.

From a business perspective, that typically means you’ll need to show you:

• took reasonable steps to protect personal information
• responded promptly once the breach was discovered
• assessed notification obligations properly
• put improvements in place to prevent recurrence

In more serious or unresolved matters, disputes can escalate beyond the Commissioner’s process.

6. Practical Dispute Resolution (Often The Fastest “Remedy”)

Not every breach needs to go straight to court. For many small businesses, the most commercially sensible outcome is to:

• get the information returned/deleted (where possible)
• secure undertakings (written promises) that it won’t be used or disclosed
• agree on corrective steps (and sometimes compensation)
• avoid a drawn-out dispute that drains time and focus

This is where the tone and structure of your initial correspondence can make a big difference - you want to be firm, accurate, and strategic, without escalating unnecessarily.

How To Prevent A Privacy Breach (And Put Yourself In A Stronger Legal Position)

Prevention isn’t just about avoiding problems - it also puts you in a better position if something happens anyway. If you can show you took privacy and confidentiality seriously from the start, it’s much easier to defend your business decisions and enforce your rights.

Here are practical steps that help most small businesses:

Put The Right Documents In Place

• A clear Privacy Policy that matches your real data practices
• A tailored Non-Disclosure Agreement for pitches, collaborations, and sensitive commercial discussions
• Strong confidentiality clauses in your staff and contractor agreements
• Internal privacy rules and training supported by clear workplace policies

Limit Access (Most Breaches Are “Over-Access” Problems)

A simple but powerful principle: staff and contractors should only access what they need to do their role.

This reduces the chance that a single compromised login exposes everything - and it reduces the damage if someone leaves on bad terms.

Have A Response Plan Before You Need One

When a breach happens, you won’t want to be building the process from scratch. Having a data breach response plan makes it much easier to:

• assign responsibilities
• document decisions
• assess notification obligations
• communicate consistently

Key Takeaways

• A privacy breach usually involves personal information and can trigger obligations under the Privacy Act 2020, including assessing whether the breach is notifiable.
• A breach of confidentiality often involves business information (like client lists, pricing, trade secrets) and your remedies may depend heavily on your contracts and the surrounding facts.
• Act fast: contain the breach, preserve evidence, confirm what information was affected, and communicate carefully (especially externally).
• Legal remedies for businesses may include enforcing contract terms, seeking an injunction, claiming damages (where provable), and taking employment action (with a fair process).
• Strong legal foundations - like a Privacy Policy, NDAs, and internal privacy procedures - help prevent breaches and put you in a stronger position if a dispute arises.

If you’d like help responding to a privacy breach or putting the right confidentiality and privacy protections in place, contact Sprintlaw for a free, no-obligations chat.