Clearing the cloudiness around third party vendor breaches04 August 2017
Cloud-based data hosting and the use of third party vendors to manage and process data are fast becoming ubiquitous in today's online world. The rapid expansion of such third party digital ecosystems, which often extend across jurisdictions and territorial borders, comes with added cyber security risks.
In the past 12 months we have seen a number of notable data breaches (not always involving a "hack" of information) relating to third party vendors, including cloud-based data hosts, that have had wide-reaching impact. For example:
- In June 2017, the personal information of close to 200 million American voters was found to have been exposed on a publicly-accessible cloud server, supposedly due to a simple misconfiguration error.
- According to media reports in early July 2017, data relating to around three million fans of a well-known wrestling entertainment company—including home and email addresses, birth dates and demographic survey information—was purportedly left unsecured and readily accessible to anyone who knew the relevant web address on cloud-hosted infrastructure.
- Closer to home, in 2016, the personal information of around half-a-million Red Cross blood donors was accessed by an unauthorised person as a result of human error at one of the Red Cross's third-party contractors.
Although managing the kinds of data breaches identified above should be a paramount consideration for all entities that deal with the personal information of customers and employees as a matter of course, as far as the Australian example is concerned, this will be even more important when the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) comes into force next year.
Under the new regime, an entity to which the mandatory data breach notification scheme applies that discloses personal information to an overseas recipient will remain accountable for an offshore eligible data breach, even if that entity is not responsible for the breach. The entity will be required to comply with the reporting requirements as if it was, itself, holding the information at the time of the eligible breach.
Further, if more than one entity jointly and simultaneously holds the same record of personal information, an eligible data breach may trigger reporting obligations for both entities. In an outsourcing or shared services arrangement where, for example, one entity stores personal information in an online platform provided by another entity, both entities are "holding" the information in line with the definition under s 6(i) of the Privacy Act 1988 (Cth) and have mandatory reporting obligations.
Entities affected by the mandatory data breach notification scheme (and otherwise) should give careful consideration to how relationships with third party vendors could affect risk management and insurance arrangements, so as to identify and repair any gaps in internal risk policies and coverage.