Privacy Commissioner calls for significant fines and ‘real consequences’ for cybersecurity breaches
Privacy Commissioner calls for significant fines and ‘real consequences’ for cybersecurity breaches
Publish Date: 2026-02-01 13:48:00
Source Domain: lawnews.nz
Neil Sands
Michael Webster
Privacy Commissioner Michael Webster wants the power to impose multi-million-dollar fines in the wake of the Manage My Health (MMH) data breach, arguing his organisation needs teeth because New Zealand businesses are too complacent about cybersecurity.
In one of New Zealand’s biggest privacy breaches, privately-owned health portal MMH was hacked last month and the medical records of more than 120,000 users stolen. The hackers threatened to release the information on the dark web unless they received a $60,000 ransom.
Webster said the extortion attempt left affected users, who had entrusted MMH to hold their data securely, facing the “truly devastating” prospect of sensitive information, such as mental or sexual health records, being published online.
While MMH now says the issue has been “contained”, Webster has launched an urgent inquiry which is due to deliver interim findings by April 30, followed by a deeper dive into how digital service providers handle sensitive data.
He said this was needed because lax attitudes to cybersecurity are common among New Zealand businesses and the Privacy Act 2020 lacks the means to make them meet basic privacy requirements, falling well short of legislation in overseas jurisdictions.
“While there are some exceptions, generally we continue to see complacency across the board, with many agencies taking the approach that privacy breaches and cyber-security hacks will happen to somebody else, not to them,” Webster told LawNews.
“It is not until the privacy risk becomes an issue that organisations prioritise focus in these areas. Even then, once the glare of publicity shifts, focus on good privacy and data-protection basics tends to fall away.”
‘Real consequences’
Under the current Act, the Privacy Commission can investigate breaches, recommend remedies and impose fines of up to $10,000, but Webster wants it amended to ensure companies face genuine…
