The legal ramifications of having client data hacked or stolen

The legal ramifications of having client data hacked or stolen

“It won’t happen to me or my business.”

This is a common belief of many business owners in New Zealand when it comes to the thought of someone hacking into their system and stealing their client data. But unfortunately data theft is on the rise and it is important for all types of organisations to take into consideration what could happen to them, and their customers, if a data breach was to occur.

Karen Ngan is a Partner at law firm Simpson Grierson, and also co-heads the firm’s technology group, and data protection and privacy group. She says that while it is difficult to get concrete numbers on the number of data breaches in New Zealand, as there is currently no legal requirement to notify authorities of it occurring, there have certainly been greater instances of it reported in the media over the past five years, for two main reasons.

“First, the increased use of technology and interaction with customers digitally has resulted in more data being collected. And second –advances in technology mean that hackers are always developing new, and more sophisticated ways of stealing client information.”

What protection do businesses need to have in place?

So because of this continual ‘evolution’ of hackers, and what they are able to do, it is obvious that businesses need to protect themselves against having data being stolen.

Ngan says it comes down to implementing an effective cybersecurity strategy to minimise the risks, and the effects, of a data breach. However, she also notes that this requires a strategic ‘whole-of-business’ approach as it is not, as some organisations may still consider it to be, solely an IT issue.

What could a business owner be liable for?

Just exactly what could you and your business be liable for if you did have client data stolen?

Firstly this would depend to a large degree on the type of data that has been compromised, says Ngan. For example, if the affected data is personal information, there may be implications under the Privacy Act, which could include proceedings before the Human Rights Review Tribunal, or result in being named publicly under the Privacy Commissioner’s ‘name and shame’ policy.

If the data is the subject of confidentiality obligations, the organisation could be in breach of those obligations and be liable for damages that arise from that breach. And if it is data that is being stored on behalf of a customer, the organisation could be in breach of security obligations or service level commitments to the customer.

How can a business owner protect themselves from being held liable of data breaches?

Taking the right precautions to prevent themselves from being on the receiving end of a data hack is critical. However, businesses could also look at addressing liability for any resulting damages from a breach in contract terms.

Ngan notes that service providers commonly seek an acknowledgement by customers that where a service is provided over the internet, data transmissions cannot be guaranteed as completely secure. Or where use of a system is through a customer login and password, the user is responsible for maintaining the confidentiality of their account and password and for all transactions undertaken using that login and password.

However, she warns that limitations and exclusions of liability would need to be considered on a case-by-case basis, as not one size fits all.

What to do if your client data is hacked and/or stolen:

If a business discovers they have been hacked, or client data is compromised, what should be the first thing(s) they do to rectify the situation? Ngan advises the following steps:

  • Contain the breach and assess the impact: Make sure that the cause of the breach is shut down and steps taken to prevent further downstream disclosures so that the breach can be contained. Then assess the potential impact of the breach on all affected parties.
  • Notify affected people if necessary: If a data breach creates a risk of harm, the affected parties should be notified as soon as reasonably possible. Consideration may also need to be given to whether authorities should be notified.
  • Preventative action: Steps should be taken to avoid a repeat of the breach to the extent possible.

Where the compromised information is personal information, reference should be directed at the Privacy Commissioner’s Data Safety Toolkit, which is a guide which includes instructions for businesses about how to respond when a data breach occurs.


To learn strategies for keeping your business data safe, download our free security eBook or call our Microsoft Sales Centre on 0508 526 917.