By: Kieran Doyle, Nicole Gabryk, Nick Martin and Olivija Radinovic
For this year’s Privacy Awareness Week, the OAIC is calling on entities to ‘power up’ privacy – to take control and to step things up. Privacy regulators from across Australia issued a joint statement for Privacy Awareness Week which set out more details for this year’s theme1:
“With coming state and national privacy reforms, and significant debate about key issues such as the activities and regulation of social media platforms, children’s privacy, biometrics and the use of AI, it is a critical time in the privacy landscape.
This year’s theme for Privacy Awareness Week focuses on privacy and technology and the key principles of transparency, accountability and security.
… Our personal data encapsulates who we are. Regulators are urging organisations to ‘power up’ the security of personal information to guard against known and emerging threats, including credential stuffing, human error, and vulnerabilities posed through third-party providers”
While most organisations are taking positive strides to update their own internal cyber security posture and create safety nets around the data they hold, third-party service providers (who often hold treasure troves of sensitive data for clients) are a risk frequently overlooked – often in favour of the convenience of the services they provide. However, a breach of a third-party service provider can often create more issues for an organisation than if it happened to themselves.
Third-party service provider breaches on the rise
Given the recent spate of highly publicised data breaches occurring via third-party service providers, there is an urgent need for entities to identify and mitigate the associated privacy risks.
The OAIC’s Notifiable Data Breach report (July to December 2023)2 reported a noticeable increase in notifications of data breaches involving third-party service providers (compared to the previous reporting period): Of the 483 data breach notifications made to the OAIC, 121 of those were ‘secondary data breaches’.
One high profile breach currently in the spotlight is the one experienced by ClubsNSW. This occurred via a third-party service provider who experienced a cyber incident and might have resulted in highly sensitive data such as “facial recognition biometrics, driver’s licence scans, club membership details, and more”3 for over 1million ClubsNSW members impacted. Privacy Commissioner, Ms Carly Kind, in an interview with the Guardian to mark the launch of Privacy Awareness Week, warned of the privacy risks posed by third-party service providers: “We’re absolutely seeing a rise in third party suppliers being the source of data breaches. Being a point of vulnerability for others in terms of compliance with Privacy Act is very real and what we’re cautioning organisations about is ensuring that they’re passing on their obligations in the best way possible in any contract with third parties… it’s becoming a real weak spot in the chain of protecting privacy.” 4
With many third-party service providers holding treasure troves of sensitive data as a result of services they provide to large organisations, they present the perfect opportunity for threat actors to target a larger victim organisation by exploiting a smaller third-party supplier as a ‘way in’ to the systems or environments of larger organisations.
Privacy laws: obligations and reforms
Under the current provisions of the Privacy Act 1988 (Cth) (Privacy Act), if a cyber incident is experienced by a third-party supplier, it does not negate an organisation’s privacy and notification obligations. Australian Privacy Principle5 11 requires any organisation who ‘holds’ personal information to take reasonable steps to protect that information from misuse, including unauthorised access and disclosure.6 ‘Holds’ is defined to include an organisation ‘has possession or control of a record that contains personal information’, as such both an organisation and third-party supplier could have joint obligations under the Privacy Act.7
At a speech delivered on 2 May 2024, the Attorney-General, Mark Dreyfus, signalled that the long-awaited privacy reforms to the Privacy Act would commence from August 2024 when legislation would be brought forward to “overhaul the Privacy Act and protect Australians from doxxing”.8
Of the 116 privacy reform proposals (the vast majority of which the Government has agreed, or agreed to in principle, a number of these will potentially impact organisations whose data is held or processed by third-party suppliers. Organisations will need to closely monitor the privacy law reforms which will be implemented in the coming months and to consider the impact of the overhauled legislation on their use and reliance on third party service providers. Significant change is coming, and organisations need to prepare now.
What steps can be taken to reduce privacy risks associated with third-party suppliers?
The OAIC9 highlighted two core issues seen in third-party supplier breaches:
- a lack of data retention or destruction clauses in contractual agreements between an organisation and third party service provider, and
- a lack of ‘clearly defined responsibilities’ in the event of a data breach.
Accordingly, the OAIC has recommended that organisations have in place appropriate contractual arrangements regarding personal information data handling practices and incorporate into those arrangements details of who will have the obligation to notify the OAIC in the event of a suspected data breach.10
During vendor selection, organisations should give information security the focus it deserves. Does a particular third-party service provider have access to sensitive data or systems? If so, when choosing, analyse each provider’s IT security and lean towards those with demonstrably high levels of maturity. In particular, look at any security controls the vendor has in place, as well as the vendor’s client list and track record. This is particularly the case when contracting with vendors who are based outside of Australia and who may not have the same privacy obligations as the customer. Organisations can no longer prioritise convenience of services over the security and protection of their and their clients’ personal information.
To further mitigate third party data breach risk, you should:
- Have clear requirements in your contracts with third party vendors around IT security, and how they can handle or process your data (e.g. restrictions on transfer to fourth parties)
- Continuously monitor third party vendors for vulnerabilities and ensure they take a proactive approach to remediation
- Require key vendors to independently verify their IT security practices, including maintaining high levels of credential security to ensure that personal and sensitive information is protected and to prevent unauthorised access to accounts, systems and data, and
- Always keep up to date with applicable regulatory requirements as to IT security and be ready to flow down obligations to third party vendors.
For more information or to speak to a member in our team contact us at auscyberclaims@wottonkearney.com.au.
[1] https://www.ipc.nsw.gov.au/statements/privacy-awareness-week-joint-statement-privacy-authorities-australia
[2] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023
[3] https://www.afr.com/companies/games-and-wagering/payback-unpaid-foreign-developers-blamed-for-huge-clubs-data-breach-20240502-p5fobx
[4] https://www.theguardian.com/australia-news/article/2024/may/06/third-party-providers-a-customer-data-weak-spot-australian-privacy-commissioner-says
[5] There are 13 Australian Privacy Principles organisations are required to comply with under the Privacy Act 1988 (Cth).
[6] https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information
[7] Privacy Act 1988 (Cth) s 6.
[8] https://ministers.ag.gov.au/media-centre/speeches/privacy-design-awards-2024-02-05-2024
[9] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023
[10] https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023