Your Charity Has Suffered a Privacy Breach. What Happens Next?

The Privacy Act 2020 introduced mandatory reporting of notifiable privacy breaches for all organisations in New Zealand — including charities and not-for-profits. A breach is notifiable if it is likely to cause serious harm to the individuals affected. Here's what the response looks like in practice — and how insurance changes the outcome.

What Counts as a Notifiable Privacy Breach?

A privacy breach occurs when personal information is lost, accessed by unauthorised people, or disclosed without authority. A notifiable breach is one that has caused, or is likely to cause, serious harm. Factors relevant to serious harm include:

• The sensitivity of the information (health data, financial information, and location data are higher risk)
• The likely scale of disclosure
• Whether the information could be used for identity theft or fraud
• The vulnerability of the people affected (beneficiaries of charities are often vulnerable people)

Most charities hold sensitive data: donor financial information, beneficiary personal and health details, volunteer records. A breach involving any of this information is likely to meet the threshold for notifiable breach.

The Mandatory Reporting Timeline

Once you become aware of a notifiable breach, you must:

1. Notify the Office of the Privacy Commissioner as soon as practicable
2. Notify the individuals whose information was compromised (unless impractical or notification would cause greater harm)

There is no defined time limit in the Act for notification — "as soon as practicable" applies. The Privacy Commissioner can investigate compliance and can make recommendations or determinations. The Human Rights Review Tribunal can award damages where breaches caused harm.

The True Cost of a Privacy Breach

The visible costs of a privacy breach for a charity include:

• Forensic investigation: Understanding what happened and what data was accessed costs $5,000–$50,000+ depending on IT complexity
• Legal advice: Regulatory counsel during a Privacy Commissioner investigation costs $10,000–$50,000+
• Individual notification: Drafting and sending notification to hundreds or thousands of donors or beneficiaries costs time and money
• Credit monitoring: Where financial data was compromised, providing credit monitoring to affected individuals is best practice
• Reputational damage: Donor trust, once lost, is hard to rebuild. Fundraising revenue can decline materially following a publicised breach

How Cyber Insurance Helps

Cyber insurance for charities covers the specific costs of a privacy incident:

• Forensic investigation to establish what happened
• Legal and regulatory costs during Privacy Commissioner investigation
• Notification costs to affected individuals
• Credit monitoring provision
• PR and reputation management costs
• Business interruption (if your systems are offline during incident response)

Without cyber insurance, all of these costs fall on the organisation. For small charities with limited reserves, a significant breach response can be existential.

Prevention: The First Line of Defence

While insurance covers the costs of a breach, prevention is always preferable. Core steps for charities:

• Use a reputable donor management system with strong access controls
• Enable multi-factor authentication on all accounts that hold personal data
• Limit data access to those who need it
• Have a written data retention and disposal policy
• Train all staff and regular volunteers on privacy obligations
• Have a documented breach response plan — knowing who to call and what to do in the first 24 hours is critical

Getting the Right Cyber Cover for Your Charity

Cyber insurance for charities varies significantly in quality and coverage. A specialist broker can help you find a policy that covers the full response cycle — not just data restoration, but the regulatory, legal, and notification costs that represent the true cost of a breach for a charitable organisation.