ARTICLE
3 December 2025

Navigating AI, security and cyber washing for New Zealand businesses

WW
Wynn Williams Lawyers

Contributor

Wynn Williams Lawyers logo
Wynn Williams is a renowned law firm in New Zealand, offering a full range of legal services with a team of skilled lawyers. Established in 1859, the firm is known for its expertise, straightforward advice, and strong client relationships. Recognized in prestigious legal directories, Wynn Williams is proud of its heritage and commitment to honest, experienced guidance for clients. Offices are located in Auckland, Christchurch, and Queenstown.
Explore Firm Details
As AI becomes more embedded in digital infrastructure, it introduces new security risks & regulatory challenges.
New Zealand Technology
Katrina Hammon and Roxana Cvasniuc
Your Author LinkedIn Connections
Wynn Williams Lawyers are most popular:
  • within Intellectual Property topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Accounting & Consultancy, Business & Consumer Services and Chemicals industries

Artificial intelligence (AI) is rapidly transforming the way New Zealand businesses operate, offering new efficiencies, insights and capabilities.

However, as AI becomes more embedded in digital infrastructure, it introduces new security risks and regulatory challenges. At the same time, the rise of "cyber washing", which is the practice of overstating or misrepresenting the security or AI capabilities of products and/or services, poses significant risks for businesses and consumers.

Opportunities and threats

AI technologies are integral to modern cybersecurity strategies. By leveraging machine learning and data analytics, AI systems can continuously monitor networks, detect anomalies, and respond to potential threats in real time.

Yet, while AI enhances cybersecurity, it also introduces new and complex risks. The same technologies that help businesses, can be exploited by attackers. Cybercriminals are using AI to automate attacks, generate convincing phishing messages, and create deepfakes that can deceive individuals and businesses. AI tools can also be used to probe systems for vulnerabilities at unprecedented speed and scale, allowing attackers to tailor their strategies in ways that outpace traditional defences.

The dual nature of AI means businesses must take a more proactive and adaptive approach to security.

Understanding cyber washing

Cyber washing can include:

  • marketing software as "AI powered" when it uses only basic automation or rule based logic;
  • claiming compliance with security standards or certifications that have not been independently verified; and
  • overstating the effectiveness of security features, such as "unbreakable encryption" or "100% protection".

Cyber washing is problematic because it gives customers a false sense of security, exposes businesses to regulatory action and/or legal claims, and undermines trust in the market.

Legal and regulatory framework

New Zealand's legal framework for cybersecurity and data protection is primarily governed by the Privacy Act 2020 (PA), which sets out obligations for the collection, use, and protection of personal information. The PA requires agencies to implement reasonable security safeguards and to notify the Privacy Commissioner and affected individuals in the event of a notifiable privacy breach.

While there is currently no AI-specific legislation in New Zealand, existing privacy laws apply to the use of AI. The Office of the Privacy Commissioner (Privacy Commissioner) has issued guidance on the responsible use of AI.

In addition to privacy obligations, businesses must also be mindful of their responsibilities under the Fair Trading Act 1986 (FTA), which prohibits misleading and deceptive conduct. This applies to marketing claims relating to cybersecurity or AI capabilities. Overstating the sophistication, reliability, or security of AI-enabled systems may constitute "cyber-washing", exposing businesses to regulatory scrutiny and reputational damage.

Best practices for businesses

To navigate the risks associated with AI, security and cyber washing, businesses should:

  • ensure all marketing and technical claims about AI and security features are accurate, evidence based, and not misleading;
  • adopt industry best practices for cybersecurity, including regular risk assessments, staff training, and incident response planning;
  • stay up to date with guidance from the Privacy Commissioner, the National Cyber Security Centre, and other relevant authorities;
  • maintain clear documentation of how AI is used, its limitations, and the security measures in place; and
  • regularly review and update AI and security practices to keep pace with evolving threats and regulatory expectations.

As AI and the regulatory landscape continue to evolve in New Zealand, businesses must resist the temptation to engage in cyber washing and ensure that their claims about AI and security are both accurate and substantiated.

We can help

We understand that navigating the world of AI can be challenging so, please reach out to the Wynn Williams team for tailored support and advice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Katrina Hammon
Katrina Hammon
Photo of Roxana Cvasniuc
Roxana Cvasniuc
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More