As the prevalence and impact of cybersecurity incidents in New Zealand grow, we expect Kiwis will increasingly seek redress for data breaches. This follows the pattern of developments in the UK, US, Canada and, to some extent, Australia, where class actions are now a feature of the data protection landscape.
While there have been increased regulatory actions regarding data breaches in New Zealand, consumer actions have been less common. Below we consider the likelihood of data breach class actions being brought in New Zealand moving forward.
There are two leading causes of action that individuals may use to bring an action in respect of a data breach in New Zealand.
A data breach class action has not yet been filed in New Zealand. However, the number of class actions filed in New Zealand courts has steadily grown over recent years.
It is also becoming increasingly common for class actions to be run on an ‘opt-out’ basis, whereby individuals meeting the specified circumstances automatically form part of that class unless they actively take steps to remove themselves. This distinction between ‘opt-in’ and ‘opt-out’ is important, as it significantly affects the class size and the possible damages or compensation.
Earlier this month, a multimillion dollar opt-out class action claim against ANZ and ASB was given the green light by the New Zealand High Court. As the action is ‘opt-out’, 150,000 borrowers whose interest and fees were allegedly failed to be refunded by the two banks following a breach of their disclosure obligations will automatically be included in the claim unless they take action to opt-out.
Coupled with this trend of opt-out claims, the New Zealand Law Commission has recently issued its report on class actions and litigation funding in New Zealand. The report recommends the introduction of a new Class Actions Act designed to facilitate increased access to justice, including by way of ‘opt-out’ class actions.
While the report is not binding, it provides a clear insight into the future landscape of class actions and litigation funding in New Zealand. This also reflects a policy to balance the power between large companies and individuals (particularly those that collect large volumes of data). Individuals require the ability to enforce their rights directly against such companies in order to hold them accountable.
The increasing number of class actions in New Zealand, together with the growing impact of cybersecurity incidents, means there is a real possibility of a data breach class action being brought in New Zealand in the near future.
However, there are specific considerations in respect of a data breach class action that indicate the likelihood of one being brought. These include:
Clyde & Co’s Technology & Media Team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand.
The firm's tech, cyber, privacy and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries and third-party claims, the team assists its clients, inclusive of corporate clients, insurers, insureds and brokers across the full spectrum of legal services within this core practice area.
 Hosking v Runting (2004) 7 HRNZ 301.
 Winston Peters v Attorney-General on behalf of Ministry of Social Development  NZCA 355.
 Southern Response Earthquake Services Ltd v Ross  NZSC 126; Simons v ANZ Bank NZ Ltd  NZHC 1836.
 Law Commission Class Actions and Litigation Funding (NZLC R147, 2022).