Is It Fraud, Or Is It A Privacy Breach?
In reality, it’s often both, and recognising the overlap is critical for organisations seeking to comply with the Privacy Act and maintain trust.
There’s a strong and sometimes overlooked intersection between fraud and privacy breaches. When a fraudster gains access to an individual's account, whether by phishing, social engineering, or credential stuffing, it’s not only a financial issue, it’s also a privacy breach under New Zealand’s Privacy Act 2020.
A privacy breach, as defined by the Act, includes the unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information. Crucially, the information doesn’t need to be leaked or widely disseminated. The simple act of someone who isn’t authorised viewing that personal information is enough to qualify as a breach. Intent isn’t the determining factor, impact is.
The Office of the Privacy Commissioner (OPC) recently released a case note (CE03162 [2025] NZPrivCmr2) highlighting a finance company’s failure to recognise that a fraud event was also a notifiable privacy breach. This incident serves as a timely and important reminder: even when fraud appears to be “external,” organisations still have obligations under the Privacy Act to assess whether a breach has occurred and to respond appropriately.
One of the most common misconceptions we see is that if a customer voluntarily provided their credentials, perhaps via a phishing email or scam phone call, then any resulting access by a fraudster doesn’t count as a privacy breach. This isn’t accurate. Under the Act, it doesn’t matter whether the breach was caused by someone inside the organisation, by a malicious actor outside it, or even through the actions of the individual themselves. If personal information has been accessed without proper authorisation, it is still considered a privacy breach.
This means that even where an organisation has strong technical controls in place that meet the requirements of Information Privacy Principle 5 (which requires agencies to protect personal information against loss, access, use, or disclosure) a breach can still occur.
When considering any privacy breach, the key thing to do is put yourself in the individual’s shoes and consider the impact to them when considering if it is a privacy breach and potentially notifiable. The question of liability and accountability for the breach are different questions and something to be considered once the harm to the individual has been mitigated.