Could you get into trouble with the law if you lose a USB stick?

by | Mar 31, 2026 | IT News & Insights New Zealand | Cybersecurity, AI & Microsoft Updates, Security

 

A lost USB stick can be a notifiable privacy breach.

Here’s why that matters

It sounds old school, but USB sticks are still floating around plenty of NZ businesses.  A recent draft decision note from the Office of the Privacy Commissioner is a timely reminder that losing one isn’t just inconvenient.  It can cross the line into a notifiable privacy breach.

Why a lost USB can be a big problem

In the decision note, the Privacy Commissioner considered a situation where a USB stick containing personal information was lost and never recovered.
Because the organisation couldn’t be confident the data was protected or inaccessible, the loss created a real risk of harm to the people involved. That’s what tipped it into notifiable breach territory.
If personal information goes missing and you can’t rule out misuse, you may have an obligation to notify both the Privacy Commissioner and affected individuals.

It’s not about the USB — it’s about risk

This isn’t a story about outdated tech. It’s about risk management.
When regulators assess a breach, they look at things like:
  • What type of personal information was involved
  • Whether it was encrypted or otherwise protected
  • Who could realistically access it
  • Whether the organisation could contain or recover the data
If the answers aren’t clear, the risk goes up.

What this means for NZ businesses

For many organisations, the biggest exposure isn’t hackers.  It’s everyday behaviour and legacy practices that haven’t been revisited in years.
Think:
  • Data copied “just in case”
  • Files taken home to finish work
  • Portable storage with no encryption
  • No clear policy on what’s allowed (or not)

 

Practical steps to reduce your risk

You don’t need to ban productivity to improve privacy. A business‑first IT approach helps you protect data and keep work flowing.
A few good starting points:
  • Reduce reliance on portable storage by using secure cloud platforms
  • Encrypt anything that leaves your environment
  • Set clear policies around personal data handling
  • Train staff on what to do (and what not to do)
  • Review how incidents are detected and reported
This is proactive IT — identifying issues early, before they become problems.

 

Making IT simple — and safer

Privacy compliance isn’t about ticking boxes. It’s about protecting people, trust, and your reputation.  If you’re unsure how personal data moves through your business, or whether your current setup would stand up to scrutiny, we’re happy to help.