New Zealand Faces Calls for Stricter Data Breach Penalties Post-ManageMyHealth Hack

A cybersecurity expert has launched a petition urging New Zealand lawmakers to implement harsher penalties for privacy breaches, citing the recent ManageMyHealth data hack as a catalyst. The call highlights concerns that current sanctions are insufficient to deter organizations from mishandling personal data, potentially hindering investment in robust security measures.

• A petition has been submitted to Parliament advocating for increased penalties for privacy breaches.
• Current fines of up to $10,000 are considered inadequate, especially for large organizations.
• International benchmarks, such as those in Australia and the EU, feature significantly higher, turnover-linked penalties.
• The petition aims to pressure the government into overhauling the Privacy Act.
• Recent NCSC reports indicate a rise in cyber losses and incidents across New Zealand businesses.

Cybersecurity consultant Katja Feldtmann initiated the petition after the significant ManageMyHealth data breach. She argues that the current maximum fine of $10,000, as stipulated by the Privacy Act for specific offenses, is too low to incentivize organizations to prioritize data security. Feldtmann stated that for companies generating millions in revenue, such a penalty is a minor cost of doing business, potentially making it cheaper than implementing comprehensive security and privacy measures.

The petition draws attention to international data protection regulations, particularly those in Australia and the European Union, which impose substantially higher penalties. Australia, for instance, can levy fines of up to A$50 million, three times the benefit gained from the conduct, or 30% of a business’s adjusted turnover for serious or repeated privacy interferences. New Zealand currently lacks an express civil penalty directly tied to the breach itself, with the $10,000 fines applicable only to specific non-compliance issues like failing to comply with a compliance notice or not notifying the Privacy Commissioner of a notifiable breach.

Feldtmann’s initiative coincides with a report from the National Cyber Security Centre (NCSC) detailing a significant increase in cyber losses and incidents. For the third quarter of 2025, direct financial losses reached $12.4 million, a 118% rise from the previous quarter. The NCSC also saw a near doubling of incidents requiring specialist support, with business email compromises and unauthorized access to email accounts being major drivers. Malware sophistication is also increasing, with malware-as-a-service platforms lowering the barrier for cybercriminals.

Research commissioned by the NCSC indicates that small and medium-sized enterprises (SMEs) are experiencing more frequent cyber threats, yet many exhibit uneven security practices. While 94% of small businesses consider cybersecurity important, a significant portion believe their current measures are sufficient, leading to a lack of adoption of critical practices like two-factor authentication and regular data backups. Over half of the businesses that experienced a cyberattack reported negative impacts, including financial loss, operational disruption, and reputational damage.

• Consultant petition pushes higher privacy breach penalties in New Zealand, Insurance Business.
• ‘Falling behind’: Calls to overhaul Privacy Act after health data hack, BusinessDesk | NZ.
• Cyber-security expert launches petition to Parliament calling for harsher penalties for privacy breaches |
  RNZ News, RNZ.