Phishing Policy Template for New Zealand
Generate a bespoke document
What is a Phishing Policy?
This Phishing Policy is essential for organizations operating in New Zealand seeking to establish robust cybersecurity measures against email-based threats and social engineering attacks. The policy is designed to comply with New Zealand's cybersecurity framework, including the Privacy Act 2020 and relevant sections of the Crimes Act 1961. Organizations should implement this Phishing Policy to establish clear guidelines for email security, define response procedures for suspected phishing attempts, and outline training requirements for all personnel. The policy addresses modern cybersecurity challenges while considering New Zealand's specific regulatory requirements and business environment, providing a comprehensive framework for protecting organizational assets and data from phishing attacks.
About the Phishing Policy
A phishing policy is a critical cybersecurity document that establishes comprehensive guidelines for protecting your organization against email-based threats, social engineering attacks, and fraudulent communications. This policy serves as your organization's primary defense mechanism against cybercriminals who attempt to steal sensitive information, compromise systems, or gain unauthorized access to personal data through deceptive emails and communications.
When do you need this document?
You need a phishing policy when your organization handles personal information subject to the Privacy Act 2020, operates email systems accessible by employees or contractors, or processes sensitive business data that could be targeted by cybercriminals. This policy is essential for companies with remote workers who access organizational systems from various locations, businesses that handle customer data or financial information, and organizations that rely on email communications for daily operations. You should also implement this policy if your organization uses third-party IT services, cloud-based systems, or electronic payment processing, as these create additional vulnerability points for phishing attacks.
Key legal considerations
Your phishing policy must address several critical legal obligations under New Zealand law. The Privacy Act 2020 requires organizations to implement reasonable security safeguards for personal information, making phishing prevention a legal necessity rather than just good practice. The policy should clearly define roles and responsibilities for cybersecurity, establish incident response procedures that comply with breach notification requirements, and outline training programs to ensure all personnel understand their obligations. Under the Crimes Act 1961, particularly sections 249-252, your organization could face liability if inadequate cybersecurity measures contribute to computer system crimes or unauthorized access. The policy must also consider employment obligations under the Employment Relations Act 2000, ensuring that cybersecurity responsibilities are clearly communicated to all staff members and contractors.
Legal requirements in New Zealand
New Zealand organizations must ensure their phishing policies comply with the Privacy Act 2020's requirement for reasonable security measures protecting personal information. This includes implementing technical safeguards, conducting regular security assessments, and maintaining documentation of cybersecurity measures. The Harmful Digital Communications Act 2015 may apply when phishing attacks involve deceptive communications targeting your organization or employees. Your policy should establish clear procedures for reporting suspected phishing attempts to relevant authorities, including the Computer Emergency Response Team New Zealand (CERT NZ) when appropriate. The Contract and Commercial Law Act 2017 provisions regarding electronic transactions require that your policy address security measures for electronic communications and digital signatures. Organizations must also ensure that their phishing policy aligns with any industry-specific regulations and international standards if they operate across multiple jurisdictions or handle data subject to overseas privacy laws.
GOVERNING LAW
Applicable law
This Phishing Policy is drafted to comply with New Zealand law. Key legislation includes:
Crimes Act 1961 (specifically sections 249-252): Covers computer system crimes, including unauthorized access and dishonest use of computers, which are relevant to phishing attacks.
Harmful Digital Communications Act 2015: Deals with harmful digital communications and could be relevant when phishing attacks involve deceptive or harmful communications.
Employment Relations Act 2000: Relevant for establishing employee obligations and responsibilities regarding cybersecurity practices and phishing prevention.
Contract and Commercial Law Act 2017: Contains provisions about electronic transactions and digital security, relevant for establishing security protocols and responsibilities.
Fair Trading Act 1986: Relevant when phishing affects customers or business relationships, particularly regarding misleading and deceptive conduct.
Electronic Identity Verification Act 2012: Provides framework for secure electronic identity verification, important for preventing identity theft through phishing.
CERT NZ Framework: While not legislation, these are government-endorsed guidelines for cybersecurity incident reporting and management.
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it