Parliament petition seeks to increase penalties for serious or repeated privacy breaches

Thursday, 15 January 2026

Katja Feldtmann, founder of cyber security firm Cybershore in Whanganui, has launched a petition asking the House of Representatives to increase penalties for serious or repeated privacy breaches. (File photo)

A digital governance professional has launched a Parliamentary petition calling on lawmakers to close long-standing gaps in New Zealand’s approach to cybersecurity and data privacy.

Katja Feldtmann, founder of cyber security firm Cybershore in Whanganui, asked the House of Representatives to increase penalties for serious or repeated privacy breaches, strengthen the enforcement powers of the Office of the Privacy Commissioner (OPC), and improve accountability for organisations that fail to protect personal or health information.

Feldtmann’s petition followed the Manage My Health data breach scandal, which exposed the Office of the Privacy Commissioner’s limited enforcement powers, a lack of resources, and what she described as an “outdated” Privacy Act.

Feldtmann said privacy breaches could cause serious harm, such as identity theft, financial loss, emotional distress and a loss of trust in essential services.

While acknowledging the Privacy Act 2020 strengthened New Zealand’s privacy framework, she argued penalties and enforcement powers remained limited.

The act established specific criminal offences with maximum fines of up to $10,000 imposed through the court system.

Feldtmann argued that heavier fines and stronger powers for the Office of the Privacy Commissioner could deter poor practices, improve accountability and ensure organisations adequately protect personal information.

Speaking to the Wairarapa Times-Age, Feldtmann said under-investment in security and a lack of oversight were driving data breaches.

“There is no one size fits all” when it came to implementing good security practice, she said.

“What good looks like depends on the organisation and the context in which they operate.”

“For me, company boards need to define the intent in their security policy — for example, our intent is to develop secure systems or provide secure services for our citizens — and then obviously they have to comply with the regulation.”

However, Feldtmann said she believed low penalties were driving complacency, creating an environment, particularly for larger businesses where paying the fine could be preferable to improving security.

The “she’ll be right” attitude was also putting sensitive information at risk.

“We have this attitude and thinking that we are this isolated nation at the end of the world, which is all good, but I think times have changed,” she said.

Feldtmann was keen to dispel the myth that hackers would find personal health data “boring”.

“People don’t really understand how the data can be used, and also it might not be used now — everyone forgets about this. In five years, someone calls them and blackmails them because they have certain information about them.”

She said cybersecurity ultimately came down to risk management.

Individuals and organisations could choose whether or not to reduce known risks, but many organisations failed to act even when problems were clearly identified.

“We are living in a world where we are waiting to be told, and then even when we are told we are still not doing [anything about it].”

Without meaningful enforcement or penalties, she said, there was little incentive to fix serious privacy and security weaknesses.

Feldtmann said she was hopeful that with enough signatures, her petition would force Parliament to address what she saw as systemic inaction.

“I don’t know what it takes to get the change, but this is just one way to try.”

The petition was available to be signed on the Parliament website for the next 45 days, and as of Wednesday had attracted 239 signatures.