{"id":183594,"date":"2026-02-01T13:48:00","date_gmt":"2026-02-01T18:48:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/01\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/"},"modified":"2026-02-01T14:55:09","modified_gmt":"2026-02-01T19:55:09","slug":"privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/01\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/","title":{"rendered":"Privacy Commissioner calls for significant fines and \u2018real consequences\u2019 for cybersecurity breaches"},"content":{"rendered":"<p><a href=\"https:\/\/lawnews.nz\/privacy-law\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/\">Privacy Commissioner calls for significant fines and \u2018real consequences\u2019 for cybersecurity breaches<\/a><\/p>\n<p><a href=\"https:\/\/lawnews.nz\/privacy-law\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/\">https:\/\/lawnews.nz\/privacy-law\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-01 13:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"lawnews.nz\">lawnews.nz<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>\t\t\t\tNeil Sands<br \/>\n Michael Webster<br \/>\nPrivacy Commissioner Michael Webster wants the power to impose multi-million-dollar fines in the wake of the Manage My Health (MMH) data breach, arguing his organisation needs teeth because New Zealand businesses are too complacent about cybersecurity.<br \/>\nIn one of New Zealand\u2019s biggest privacy breaches, privately-owned health portal MMH was hacked last month and the medical records of more than 120,000 users stolen. The hackers threatened to release the information on the dark web unless they received a $60,000 ransom.<br \/>\nWebster said the extortion attempt left affected users, who had entrusted MMH to hold their data securely, facing the \u201ctruly devastating\u201d prospect of sensitive information, such as mental or sexual health records, being published online.<br \/>\nWhile MMH now says the issue has been \u201ccontained\u201d, Webster has launched an urgent inquiry which is due to deliver interim findings by April 30, followed by a deeper dive into how digital service providers handle sensitive data.<br \/>\nHe said this was needed because lax attitudes to cybersecurity are common among New Zealand businesses and the Privacy Act 2020 lacks the means to make them meet basic privacy requirements, falling well short of legislation in overseas jurisdictions.<br \/>\n\u201cWhile there are some exceptions, generally we continue to see complacency across the board, with many agencies taking the approach that privacy breaches and cyber-security hacks will happen to somebody else, not to them,\u201d Webster told LawNews.<br \/>\n\u201cIt is not until the privacy risk becomes an issue that organisations prioritise focus in these areas. Even then, once the glare of publicity shifts, focus on good privacy and data-protection basics tends to fall away.\u201d<br \/>\n\u00a0<br \/>\n\u2018Real consequences\u2019<br \/>\nUnder the current Act, the Privacy Commission can investigate breaches, recommend remedies and impose fines of up to $10,000, but Webster wants it amended to ensure companies face genuine consequences when standards are not met.<br \/>\nHe points to Australia\u2019s privacy regime, where companies can be fined either $A50 million ($NZ58m) or 30% of annual turnover, whichever is greater.<br \/>\nAustralia\u2019s privacy regulator secured its first civil penalty in October last year, when the Federal Court ordered Australian Clinical Labs to pay $A5.8m ($NZ6.7m) over a 2022 data breach involving the records of 223,000 people.<br \/>\nAustralia beefed up its privacy laws in 2022 after a string of data breaches and Webster said it was time for New Zealand to take similar action.<br \/>\n\u201cIf New Zealand wants to be serious about privacy, then organisations need to be held accountable for their failings in handling personal information. That includes introducing significant fines and real consequences,\u201d he said.<br \/>\n\u201cWe see multi-million dollar penalties in Australia for organisations who fail to protect personal information, but in New Zealand there\u2019s no civil penalty regime.\u201d<br \/>\nThe Privacy Act falls under the portfolio of Justice Minister Paul Goldsmith, who said he would consider making changes.<br \/>\n\u201cThe government made changes to the Privacy Act last year to meet European Union expectations, and will take advice on whether further strengthening is justified,\u201d he said.<\/p>\n<p>\u2018Hard questions\u2019<br \/>\nWebster said the MMH breach has left New Zealanders questioning the security of their information in a world of increasing cyber-threats and his inquiry would examine what steps the portal took to safeguard users\u2019 data.<br \/>\nThe inquiry has the power to summon witnesses and require information from any relevant organisation or individual.<br \/>\n\u201cAs the independent privacy regulator, my office will be asking the hard questions, not only on behalf of those whose personal health information has been stolen, but for all New Zealanders who need to be able trust that our health information systems are safe and secure,\u201d he said.<br \/>\nIt will focus on MMH, but the terms of reference say: \u201cThe responses of government agencies not within the scope of the Inquiry, the National Cyber Security Centre or the Police to the cyber breach, including the handling of the ransom demand and criminal matters.\u201d<br \/>\nHealth Minister Simeon Brown has commissioned a separate review of his ministry\u2019s response to the breach, which is due to be finalised on April 30.<br \/>\nThe review will be carried out in cooperation with Chief Digital Office Paul James and the National Cyber Security Centre.<br \/>\nIt will look at the incident\u2019s causes, the adequacy of the response, how MMH\u2019s systems integrated with Health NZ\u2019s and recommend improvements in how health information is handled to avoid further breaches.<br \/>\nHowever, it specifically excludes \u201cthe all-of-government response to the incident\u201d and will not make recommendations for reforms not specifically linked to security of health data.<br \/>\nWith the terms of reference of both the Privacy Commission inquiry and Ministry of Health review excluding scrutiny of the overall government response to the security breach, it is unclear whether this issue will be examined.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Privacy Commissioner calls for significant fines and \u2018real consequences\u2019 for cybersecurity breaches https:\/\/lawnews.nz\/privacy-law\/privacy-commissioner-calls-for-significant-fines-and-real-consequences-for-cybersecurity-breaches\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":183595,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/lawnews.nz\/wp-content\/uploads\/2026\/02\/GettyImages-2164227528-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-183594","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183594"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183594"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183594\/revisions"}],"predecessor-version":[{"id":183596,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183594\/revisions\/183596"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183595"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}