On June 7, 2023, New Zealand’s Office of the Privacy Commissioner (OPC) issued a statement [1] encouraging all businesses to adopt two-factor authentication (2FA) to protect information that they hold. In her remarks, Deputy Commissioner Liz MacPherson highlighted that this should be the case regardless of the size of the organisation. She referenced the OPC’s latest small businesses insights report, and opined that:

“When a cyber… breach occurs, the question [that will be asked] … is ‘have you taken reasonable cybersecurity steps to protect the personal data you hold?’ Not to have taken reasonable steps is a breach of the Privacy Act… What is reasonable depends on the size of the organisation and the scale and sensitivity of the personal information they hold.

Two-factor authentication… provides an additional step of verification and greater security. [It] is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally. If you are a small business that has a cyber-related privacy breach and don’t have at least two factor-authentication in place, expect to be found in breach of the Privacy Act.”


While the OPC’s comments are certainly useful in defining its expectations for the security standards that need to be accorded to data in New Zealand, they are equally applicable and relevant for any business looking to demonstrate that it has applied best practices towards protecting any data that is held. In particular, a business should take heed by adopting 2FA where appropriate, as this would be an especially useful mitigating argument when defending itself against regulatory sanctions and other legal repercussions that could arise from a data breach.

Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] “Office of the Privacy Commissioner encourages two-factor authentication in war on cybercrime”, New Zealand Office of the Privacy Commissioner