1 December 2025
Your email:
The information in these articles is general information only, is provided free of charge and does not constitute legal or other professional advice. We try to keep the information up to date. However, to the fullest extent permitted by law, we disclaim all warranties, express or implied, in relation to this article – including (without limitation) warranties as to accuracy, completeness and fitness for any particular purpose. Please seek independent advice before acting on any information in this article.
Artificial intelligence (AI) is rapidly transforming the way New Zealand businesses operate, offering new efficiencies, insights and capabilities.
However, as AI becomes more embedded in digital infrastructure, it introduces new security risks and regulatory challenges. At the same time, the rise of “cyber washing”, which is the practice of overstating or misrepresenting the security or AI capabilities of products and/or services, poses significant risks for businesses and consumers.
AI technologies are integral to modern cybersecurity strategies. By leveraging machine learning and data analytics, AI systems can continuously monitor networks, detect anomalies, and respond to potential threats in real time.
Yet, while AI enhances cybersecurity, it also introduces new and complex risks. The same technologies that help businesses, can be exploited by attackers. Cybercriminals are using AI to automate attacks, generate convincing phishing messages, and create deepfakes that can deceive individuals and businesses. AI tools can also be used to probe systems for vulnerabilities at unprecedented speed and scale, allowing attackers to tailor their strategies in ways that outpace traditional defences.
The dual nature of AI means businesses must take a more proactive and adaptive approach to security.
Cyber washing can include:
Cyber washing is problematic because it gives customers a false sense of security, exposes businesses to regulatory action and/or legal claims, and undermines trust in the market.
New Zealand’s legal framework for cybersecurity and data protection is primarily governed by the Privacy Act 2020 (PA), which sets out obligations for the collection, use, and protection of personal information. The PA requires agencies to implement reasonable security safeguards and to notify the Privacy Commissioner and affected individuals in the event of a notifiable privacy breach.
While there is currently no AI-specific legislation in New Zealand, existing privacy laws apply to the use of AI. The Office of the Privacy Commissioner (Privacy Commissioner) has issued guidance on the responsible use of AI.
In addition to privacy obligations, businesses must also be mindful of their responsibilities under the Fair Trading Act 1986 (FTA), which prohibits misleading and deceptive conduct. This applies to marketing claims relating to cybersecurity or AI capabilities. Overstating the sophistication, reliability, or security of AI-enabled systems may constitute “cyber-washing”, exposing businesses to regulatory scrutiny and reputational damage.
To navigate the risks associated with AI, security and cyber washing, businesses should:
As AI and the regulatory landscape continue to evolve in New Zealand, businesses must resist the temptation to engage in cyber washing and ensure that their claims about AI and security are both accurate and substantiated.
We understand that navigating the world of AI can be challenging so, please reach out to the Wynn Williams team for tailored support and advice.
Katrina Hammon, Partner – General Business & SMEs team
Roxana Cvasniuc, Associate – General Business & SMEs team
WWW.WYNNWILLIAMS.CO.NZ
