A petition calling for higher penalties for privacy breaches has been lodged with Parliament by a New Zealand cyber-security consultant, who says current sanctions are too low to change organisational behaviour. Cyber-security consultant Katja Feldtmann has asked MPs to consider stronger, turnover-linked sanctions for serious privacy failures. The initiative follows the Manage My Health data breach and focuses on whether existing financial penalties provide enough incentive for organisations that handle large volumes of personal data.
Feldtmann, who is based in Whanganui, said current penalty settings do not create sufficient financial consequences for organisations that mishandle personal information. “Because $10,000 for one organisation, if you make millions, the fact that it’s up to $10,000 and not proportionate, on annual turnover or things like that, it really just is not adequate,” she said, as reported by RNZ. Under the Privacy Act, the Office of the Privacy Commissioner can issue fines of up to $10,000 for a limited set of offences. These include failing to comply with a compliance notice, misleading an organisation to obtain someone else’s personal information, destroying requested information to avoid release, and not notifying the commissioner of a notifiable breach. “They’re just not enough. I think they’re just too low to be encouraging people to do better; they are hindering organisations from doing better because the penalty is cheaper than actually implementing some better security and privacy measures,” Feldtmann said.
Feldtmann said earlier attempts by privacy commissioners to secure higher penalties and stricter rules had not advanced, which led her to seek public backing through a petition. “Privacy Commissioners have tried to get higher penalties and stricter regulation and have failed, so I thought maybe if we can get enough people to sign a petition, then it comes from the people of New Zealand which our government should serve. Maybe that makes a difference,” she said. The petition is listed on Parliament’s website and, if it attracts enough signatures, is expected to be reviewed by a select committee.
The petition points to penalty settings in Australia and other jurisdictions that are commonly referenced in risk and compliance discussions. Australia increased its privacy penalties in late 2022. For serious or repeated privacy interferences, courts can impose the greatest of A$50 million, three times the benefit gained from the conduct, or 30% of adjusted turnover over a defined period. New Zealand does not have an express civil penalty that applies directly to a privacy breach itself, beyond the capped $10,000 fines for specific non-compliance. “I always look at it and then I look at what the rest of the world is doing, the European Union is the gold standard. We’re in the Five Eyes, and you look at what the others do and then you look at what we have and it’s almost like we don’t really deserve to be in the Five Eyes, at least in that cyber security space and privacy space,” Feldtmann said. Any move to introduce higher, turnover-based fines would be material for carriers that provide cover for regulatory investigations and penalties where permitted, and could affect assessments of limit adequacy, pricing and wording around insurability.
The petition debate comes after the National Cyber Security Centre (NCSC) reported higher financial losses and more incidents requiring specialist support. In its Cyber Security Insights report for the third quarter of 2025 (July 1 to Sept. 30), the NCSC recorded 1,249 incident reports. Direct financial losses for the quarter reached $12.4 million, compared with $5.7 million in the previous quarter, a 118% rise. A small number of higher-value cases involving unauthorised or falsified transfers of funds contributed significantly to the total. “We have received a number of reports of significant financial losses resulting from business email compromises. This is where a bad actor gains access to email accounts and then sends fake invoices or changes payment details to redirect payments to their bank account,” said NCSC chief operating officer Mike Jagusch.
The NCSC triaged 110 incidents for specialist technical support because they were considered potentially nationally significant, up from 56 in the second quarter of 2025. “A rise in unauthorised access to email accounts was one of the main drivers of this increase in potentially nationally significant incidents. Another reason was a general uptick in other malicious activity that we linked to cyber criminals and financially motivated actors,” Jagusch said. For the insurance sector, the figures may inform reviews of limits and sublimits for business email compromise, social engineering, and funds transfer fraud, and may influence underwriting questions on email security, payment verification controls, and staff awareness.
The NCSC also reported more malware-related incidents in the same period, noting changes in how malicious software is made available and used. “The cyber threat landscape is evolving quickly. Malware is becoming much more sophisticated. For example, bad actors now offer malware-as-service platforms that give criminals who lack advanced technical skills the ability to deploy malicious software,” Jagusch said. Scams and fraud remained the largest incident category, as they have been since the fourth quarter of 2024. In the third quarter of 2025, the NCSC observed a 50% increase in scams involving employment and business opportunities, including false job offers and fictitious business proposals. These developments are of interest to insurers writing cyber, crime, and professional lines, particularly where clients depend on digital channels for recruitment, contracting, and payments.
Separate research commissioned by the NCSC and carried out by The Research Agency (TRA) indicates more frequent cyber threats for small and medium-sized enterprises (SMEs), along with uneven adoption of basic controls. “[In 2025], 53% of New Zealand’s small to medium businesses told us they experienced a cyber threat in the past six months, significantly higher than the 36% reported in last year’s survey. With cyber threats increasing in frequency and sophistication globally, New Zealand’s businesses need to anticipate a cyber security attack and plan accordingly to lessen the threat and be ready to respond,” Jagusch said.
The research found that 94% of small businesses see cyber security as important, but many respondents consider their existing measures sufficient. “This perception by some businesses that they are already doing enough is preventing them from implementing some of the most important cyber security practices such as using two-factor authentication (2FA) and regularly backing up their data and files. 2FA is a simple and effective way of adding an extra layer of protection to online accounts that can often prevent the majority of online attacks. Of the businesses surveyed that experienced a cyberattack, over 50% of these attacks caused at least some impact on the business. These include financial loss, time lost, impact to business operations and productivity, damaged reputation with customers or suppliers, or access to sensitive business information or businesses accounts,” Jagusch said.
