You may have heard something about the Privacy Act being updated. There’s lots in the news these days about privacy, including new laws being passed which protect customer data:

  • GDPR (EU General Data Protection Regulation) from 25th May 2018
  • CCPA (California Customer Privacy Act) from 1st January 2020
  • PDPB (India Personal Data Protection Bill)
  • Australia Privacy Amendment (Notifiable Data Breaches) from 22nd February 2018

New Zealand has recently passed the Privacy Act 2020 which aims to strengthen privacy protections and introduces new privacy breach notification regime for breaches that have caused or are likely to cause serious harm.

The Privacy Act 2020 comes into full force as of 1 December 2020. While we won’t dig into all of the legal aspects of the Privacy Act, we will focus on how frameworks like the PCI DSS can be applied to help protect all information (not just credit and debit card data)!

In this post, we will cover:

  • What data do you need to protect?
  • How does PCI relate to privacy?
  • How can PCI be used to protect personally identifiable information (PII)?

What Data Needs to be Protected?

For PCI DSS, the answer is pretty simple. It’s the 16 (or more) digit personal account number (PAN) that is the number on the credit or debit card. You can’t store any sensitive authentication data (SAD) after authorisation.

When it comes to privacy though, it’s a lot wider than PCI (and often a whole lot more complicated to decide what is personally identifiable data (PII).

Let’s start with the definition from the NZ Privacy Act 2020.

Personal Information means information about an identifiable individual. 

Since that’s pretty broad, we can look at the definition from data.govt.nz which says that personal information includes data such as:

  • Names
  • Phone numbers
  • Email addresses
  • Other observations where an individual is identified

It’s that last one that makes the concept of personal information so broad. And that’s why you could even include credit / debit card numbers under the scope of personal information since these numbers are associated with an identifiable individual.

To quote the Privacy Commissioner: “The Privacy Act is concerned with the content of personal information, rather than the specific form that content is in. This means that all sorts of things can contain personal information, including notes, emails, recordings, photos and scans, whether they are in hard copy or electronic form.”

PCI DSS Is All About Credit Cards, Right?

It is, but that doesn’t mean that the concepts don’t relate back to information security and protection of private data. Consider how PCI DSS protects credit card information:

  • You have to make sure it is protected in your network
  • You have to make sure that the locations where it is stored are protected and monitored for unauthorised access
  • You have to make sure that the data itself is protected so that only those people who need access can see it.
  • You have to make sure that when people access private data, there are records of it
  • You have to regularly identify technical vulnerabilities and address them
  • You need to be able to identify if there is unauthorised access to private information and be able to respond appropriately (including notifying the appropriate people).

While PCI does only specifically apply to credit and debit cards, none of these principles would be out of place for protecting ANY of your customers’ data that would be considered as private.

Think about it. If all of your customer data was encrypted and only the people who needed access to it could see it, how much less damage would there be if someone got access who shouldn’t have it?

You would be much less likely to have to worry about email addresses or other personal data being disclosed if it were protected.

How Can PCI Be Used to Protect Personally Identifiable Information (PII)?

In the simplest of terms, take the word credit card and replace it with PII.

It seems pretty simple, right?

  • Identify locations where cardholder data is stored becomes identify all locations where PII is stored.
  • Have a process to delete cardholder data on a quarterly basis when it is no longer required  becomes delete PII on a quarterly basis when no longer required.
  • Place systems that store cardholder data in an internal network zone becomes place systems that store PII in an internal network zone.

The list goes on, and in pretty much every case, it’s easy (in principle) to substitute the wording to encompass any personal information.

In reality, it is harder because we aren’t used to protect personal information the same way we are used to protecting cardholder data. It’s a change. And it’s probably a big step to start by understanding what personal information you hold on behalf of your customers, where that personal information is stored, why you need to store it, and who really needs to be able to access it.

And we know the question that comes after that is: how do we use the data if we now have to protect it?

But, if We Have to Protect Data, How Can We Use It?

The focus in PCI is that only authorised individuals have access to data and that this access is for their role / a justified business reason.

So think about it this way: does everyone need access to all the customer data or do only certain people need access? Maybe more people need access to customer data like names and email addresses than credit card numbers, but the principle is still the same.

Make sure that only the people who need access to data have access. And if you don’t need the data, don’t store it.

Will it make things more complex? Maybe. But giving your customers the assurance that their data is protected is even more important. Because the last thing company or organisation wants, is to make the news, be fined and/or face a class action because of a data breach.

What Will it Cost if I Have a Data Breach?

The updated Privacy Act will make it mandatory for companies and organisations who have suffered “serious” data breaches to let affected parties and the NZ Privacy Commissioner know as soon as they find out about it – not months or years down the track, which has often been the case in the past.

The amended Privacy Act also allows the Privacy Commissioner to issue compliance notices to compel organisations and companies to comply with the law and fine them up to $10,000 for failing to do so.

Secondly, the new Privacy Act could allow for something we haven’t seen in New Zealand before being the “data breach class action”. Under the Act, an affected group, organised and perhaps funded by law firms, could take a case to the Human Rights Review Tribunal, the independent judicial body that hears claims relating to breaches of the Human Rights Act, the Privacy Act and the Health and Disability Commissioner Act.

The Tribunal regularly awards damages to the amount of tens of thousands of dollars for “emotional harm” and “humiliation, loss of dignity and injury to feelings” for individuals or groups of individuals. It will typically issue a “declaration of breach of privacy” if that has happened.

Under the declaration, the Privacy Act allows for the Human Rights Review Tribunal to award up to $350,000, paid by your company or organisation.

Finally, if credit card numbers and therefore card holder data is included in the disclosed breach, the card brands under the agreement you have with your bank can also fine you. We talk about what you probably agreed to in your merchant banking agreement in our post Where Does it Say I Have to be PCI Compliant? After all, new credit or debit cards will need to be issued and they will be looking at you to meet those costs, not mention cover any other losses the card schemes or banks may incur.

More Resources

If you’re looking for more information on data privacy, we recommend:

What Now?

Confide has people who specialise in data security and data privacy We can help you build a framework to protect personal information and understand the risks associated with the data you store. Talk to us to see how we can help you.