Short answer: a lost laptop should be treated as an information-risk event until the firm can prove the risk is low.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- Device encryption and remote wipe readiness
- Account lock-down and MFA response
- Privacy and client-risk triage in the first hour
For a New Zealand professional services firm, a missing device is not just a hardware problem. It may involve client files, email access, saved browser sessions, financial information, legal documents, or personal information.
The right response is calm, fast, and documented.
What should happen in the first hour?
The first hour should focus on facts and containment:
- Confirm who had the laptop and when it was last seen.
- Check whether the device is encrypted and managed.
- Locate, lock, or wipe the device if possible.
- Revoke active sessions and protect the user's account.
- Check whether multi-factor authentication is active.
- Identify what client or personal information may be stored locally.
- Record decisions and actions as they happen.
This is not a time for panic. It is a time for a clear run sheet.
Why encryption and device management matter
If the laptop is encrypted, protected by strong authentication, and managed through Microsoft Intune or a similar platform, the firm is in a better position. It may be able to confirm device status, enforce policy, lock the device, or wipe it remotely.
If the device is unmanaged, unencrypted, or used to store files locally, the risk assessment becomes harder. The firm may not know what was on the device or whether it can be protected.
Protect the account as well as the laptop
A lost laptop can create account risk. If a browser session, email client, VPN, or document app remains active, someone may try to access firm systems through the device.
The response should include account protection: revoking sessions, changing passwords if needed, checking sign-in activity, and confirming multi-factor authentication is working as intended.
Does a lost laptop need to be reported?
A lost laptop is not automatically a notifiable privacy breach in New Zealand. The firm needs to assess what information may be involved and whether serious harm is possible.
The Office of the Privacy Commissioner expects organisations to assess privacy breaches carefully and report notifiable breaches as soon as practicable. Its 72-hour expectation is a guide once an organisation becomes aware that a breach is notifiable.
That means firms should be ready to answer:
- Was personal information on the device?
- Was client or matter information stored locally?
- Was the device encrypted?
- Could anyone access email, files, or firm systems?
- Is serious harm possible?
- Who needs to be told, and when?
What should be ready before a device goes missing?
The strongest response is prepared before the incident. Professional services firms should have:
- Encrypted laptops.
- Central device management.
- Remote lock and wipe capability.
- Multi-factor authentication.
- Cloud-backed work folders rather than local-only storage.
- A lost-device response checklist.
- A privacy breach assessment process.
- Clear ownership between the firm, IT provider, and leadership team.
The goal is not to make loss impossible. It is to make the consequences manageable.
FAQs
What should a firm do first if a laptop is lost?
The firm should confirm who had the device, when it was last seen, whether it was encrypted and managed, then lock or wipe it if possible, protect the user's account, and assess whether client or personal information may be involved.
Does a lost laptop always need to be reported as a privacy breach in New Zealand?
No. A lost laptop is not automatically a notifiable privacy breach, but the firm should assess whether personal information was involved and whether serious harm is possible.
What controls reduce lost-laptop risk?
Useful controls include device encryption, Microsoft Intune or similar device management, multi-factor authentication, remote lock and wipe, cloud backup or OneDrive Known Folder Move, and clear incident response steps.
Sources: Office of the Privacy Commissioner, Microsoft, and EQIQ local brand materials.
Book a Conversation
