Who Is Accountable for Cyber Security? Legal Responsibilities Explained

When a company gets hacked, patient records are leaked, or a bank’s system goes down, everyone asks: who is accountable for cyber security? It’s not just the IT team. It’s not just the CEO. And it’s definitely not just the hacker. The truth is, accountability for cyber security is spread across multiple layers - and when things go wrong, the law steps in to figure out who pays the price.

It Starts With the Organization

Every business that handles data - even a small online store - has a legal duty to protect it. Under laws like New Zealand’s Privacy Act 2020 and the EU’s GDPR, organizations must take reasonable steps to secure personal information. That means installing firewalls, training staff, updating software, and having a plan for breaches. If they don’t, and a breach happens, the organization is legally responsible. Not the intern who clicked a phishing link. Not the third-party vendor. The organization itself.

Think of it like this: if your restaurant doesn’t clean its kitchen and customers get sick, you’re liable. Same with cyber security. Ignorance isn’t a defense. Not having a budget for security? That’s a choice. Skipping employee training? That’s negligence.

The Role of Leadership

In many countries, including New Zealand, senior executives - especially CEOs and CIOs - can be held personally accountable. Courts and regulators are increasingly asking: Did leadership know about the risks? Did they act? In 2023, a New Zealand health provider was fined $240,000 after a ransomware attack exposed 80,000 patient records. The regulator didn’t just blame IT. They pointed to board-level failures to prioritize cyber risk in budgeting and oversight.

Leadership doesn’t need to know how to code. But they do need to understand that cyber risk is business risk. If your board meets quarterly to review sales targets but never talks about phishing drills or patch cycles, you’re already on the wrong side of accountability.

Third Parties and Supply Chains

Most companies don’t run everything in-house. They use cloud services, payroll providers, CRM tools, and external IT firms. But here’s the catch: outsourcing doesn’t outsource liability. If a vendor’s weak password policy leads to your customer data being stolen, you’re still on the hook.

That’s why contracts now include strict security clauses. A 2025 survey of New Zealand SMEs found that 68% had updated vendor agreements to require third parties to meet specific cybersecurity standards - or face termination. If your software provider gets hacked because they didn’t encrypt data, and your clients suffer, you can’t say, “It wasn’t us.” The law sees you as jointly responsible.

Employees: The Weakest Link - But Not the Scapegoat

People make mistakes. An employee opens a malicious email. A manager shares a password over Zoom. A remote worker uses public Wi-Fi to access the company network. These are common. But blaming the employee alone? That’s a legal trap.

Under employment and privacy law, employers have a duty to train, monitor, and protect their workforce. If you don’t give staff basic cyber hygiene training - like recognizing phishing or using multi-factor authentication - and they get phished, the organization failed first. You can’t punish someone for failing a test you never gave them.

That said, intentional misconduct - like stealing data or installing malware - is a different story. That’s criminal behavior. And that’s where a cyber crime lawyer steps in.

Cyber Crime Lawyers: Who They Are and What They Do

A cyber crime lawyer doesn’t just defend hackers. They help organizations understand where they stand legally after a breach. They advise on reporting obligations, negotiate with regulators, and represent clients in civil lawsuits or criminal investigations.

For example, if a hospital’s patient data is leaked and 10,000 people sue for emotional distress, a cyber crime lawyer will examine:

• Did the hospital follow industry standards?
• Were security controls documented and enforced?
• Was the breach reported within 72 hours, as required by law?
• Did leadership ignore warning signs?

They also work with prosecutors when insiders steal data or when ransomware gangs are traced back to individuals. In 2024, a Wellington-based cyber crime lawyer helped convict a former IT contractor who sold customer login details to a criminal ring. The conviction hinged on proving the company had clear policies - and the employee violated them knowingly.

Who Gets Punished? Real Cases

In 2023, a New Zealand retail chain lost $1.7 million after a ransomware attack. The company had ignored internal warnings for months. The Privacy Commissioner fined them $150,000. The CEO was publicly named. Shareholders sued. The CIO resigned. No one went to jail - but the financial and reputational damage was permanent.

Compare that to a 2022 case in Auckland: a small accounting firm didn’t have firewalls or backups. When hackers encrypted their files and demanded $50,000 in Bitcoin, the firm paid. They didn’t report it. Three months later, the same hackers hit another client. Police traced the attack back to the first firm’s unsecured server. The owner was charged under the Crimes Act 1961 for failing to take reasonable steps to prevent harm. They received a community sentence and a $30,000 fine.

These aren’t outliers. They’re examples of how accountability works in practice: it’s layered, it’s predictable, and it’s unforgiving.

What You Can Do Now

If you run a business, here’s what accountability looks like in action:

1. Assign a cybersecurity lead - even if it’s part-time.
2. Document your security policies and update them quarterly.
3. Train every employee, including contractors, at least twice a year.
4. Require third parties to prove their security practices in writing.
5. Test your systems with simulated attacks - at least once a year.
6. Know your legal reporting deadlines. In New Zealand, breaches that pose a “real risk of serious harm” must be reported to the Privacy Commissioner within 72 hours.

These aren’t suggestions. They’re legal expectations.

When It’s Too Late

If you’ve already been breached, don’t panic. But don’t delay either. The moment you suspect a breach, you have 72 hours to act. Contact a cyber crime lawyer immediately. They can help you:

• Assess your legal exposure
• Prepare the mandatory breach notification
• Respond to regulators without incriminating yourself
• Defend against lawsuits from affected customers

Waiting to see if anyone notices? That’s how fines multiply. Silence is rarely the right legal strategy.

Final Thought

Cyber security isn’t a tech problem. It’s a legal and leadership problem. The person who clicks the link isn’t the one who’s accountable - unless they were given no training and no tools. The real accountability lies with the people who had the power, the budget, and the responsibility to stop it before it happened.

If you’re reading this because your company got hit - you’re not alone. But the clock is ticking. And the law doesn’t care how busy you were. It only cares if you did what was reasonable.