Phishing Policy Template for New Zealand

Generate a bespoke document

What is a Phishing Policy?

This Phishing Policy is essential for organizations operating in New Zealand seeking to establish robust cybersecurity measures against email-based threats and social engineering attacks. The policy is designed to comply with New Zealand's cybersecurity framework, including the Privacy Act 2020 and relevant sections of the Crimes Act 1961. Organizations should implement this Phishing Policy to establish clear guidelines for email security, define response procedures for suspected phishing attempts, and outline training requirements for all personnel. The policy addresses modern cybersecurity challenges while considering New Zealand's specific regulatory requirements and business environment, providing a comprehensive framework for protecting organizational assets and data from phishing attacks.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

New Zealand

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Phishing Policy

A phishing policy is a critical cybersecurity document that establishes comprehensive guidelines for protecting your organization against email-based threats, social engineering attacks, and fraudulent communications. This policy serves as your organization's primary defense mechanism against cybercriminals who attempt to steal sensitive information, compromise systems, or gain unauthorized access to personal data through deceptive emails and communications.

When do you need this document?

You need a phishing policy when your organization handles personal information subject to the Privacy Act 2020, operates email systems accessible by employees or contractors, or processes sensitive business data that could be targeted by cybercriminals. This policy is essential for companies with remote workers who access organizational systems from various locations, businesses that handle customer data or financial information, and organizations that rely on email communications for daily operations. You should also implement this policy if your organization uses third-party IT services, cloud-based systems, or electronic payment processing, as these create additional vulnerability points for phishing attacks.

Key legal considerations

Your phishing policy must address several critical legal obligations under New Zealand law. The Privacy Act 2020 requires organizations to implement reasonable security safeguards for personal information, making phishing prevention a legal necessity rather than just good practice. The policy should clearly define roles and responsibilities for cybersecurity, establish incident response procedures that comply with breach notification requirements, and outline training programs to ensure all personnel understand their obligations. Under the Crimes Act 1961, particularly sections 249-252, your organization could face liability if inadequate cybersecurity measures contribute to computer system crimes or unauthorized access. The policy must also consider employment obligations under the Employment Relations Act 2000, ensuring that cybersecurity responsibilities are clearly communicated to all staff members and contractors.

Legal requirements in New Zealand

New Zealand organizations must ensure their phishing policies comply with the Privacy Act 2020's requirement for reasonable security measures protecting personal information. This includes implementing technical safeguards, conducting regular security assessments, and maintaining documentation of cybersecurity measures. The Harmful Digital Communications Act 2015 may apply when phishing attacks involve deceptive communications targeting your organization or employees. Your policy should establish clear procedures for reporting suspected phishing attempts to relevant authorities, including the Computer Emergency Response Team New Zealand (CERT NZ) when appropriate. The Contract and Commercial Law Act 2017 provisions regarding electronic transactions require that your policy address security measures for electronic communications and digital signatures. Organizations must also ensure that their phishing policy aligns with any industry-specific regulations and international standards if they operate across multiple jurisdictions or handle data subject to overseas privacy laws.

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it