The information security sector is off to a challenging start in 2021, with businesses needing to face off significant cyber risk via their third party vendors. Multi-billion dollar businesses and Government institutions have been impacted by the Solarwinds and Accellion incidents, and now hundreds of thousands of businesses are scrambling to patch zero-day vulnerabilities in Microsoft exchange servers.
In January 2021, the Office of the Australian Information Commissioner (OAIC) released its latest report analysing data breaches reported to the OAIC under the Notifiable Data Breaches Scheme over the previous reporting period (June 2020 – December 2020). Given the increasing frequency of third party data breaches, businesses should be aware of the OAIC’s views:
What is the 30-day timeframe?
Under the Privacy Act, an entity which suspects that a data breach has occurred has 30 days to investigate whether the incident meets the threshold to be considered an ‘eligible data breach’. The entity must consider whether personal information it holds has been subject to unauthorised access, disclosure or loss, and whether this unauthorised access, disclosure or loss would be likely to result in serious harm to any affected individuals. This might occur if (for example) a website is misconfigured and personal information is accidentally published online, or a criminal group posts stolen data to the dark web.
If the circumstances of the incident meet the threshold, the entity must notify the OAIC and individuals who are at risk of ‘serious harm’ that an eligible data breach has occurred. Unlike the 30 days an entity has to investigate a breach, entities have no set timeframe within which they must notify the OAIC and affected individuals. The Privacy Act only requires that entities notify the OAIC and affected individuals ‘as soon as is practicable’.
What are the OAIC’s views on the 30-day timeframe?
The OAIC has spent considerable time in this report setting out its expectations regarding the time an entity has to assess whether an eligible data breach has occurred, and how quickly entities notify the OAIC and affected individuals. The OAIC highlighted that 23 entities had taken longer than 120 days after they became aware of the incident to notify the OAIC. The OAIC reiterated that entities must take ‘all reasonable steps’ to ensure their assessment of a breach took no longer than 30 days.
In short, the OAIC’s discussion of the 30-day timeframe indicates that it is paying particular attention to entities which do not take all reasonable steps to complete their eligible data breach assessment within 30 days. Any entity which suspects that an eligible data breach has occurred should therefore consider prioritising resources so that it can meet its obligations under the NDB Scheme to carry out a reasonable and expeditious assessment within the 30-day timeframe. Any entity which is unable to meet its obligations should be prepared to justify the steps it took to complete its assessment to the OAIC.
The OAIC also spent considerable time discussing its observations regarding breaches involving MSPs (i.e. entities which provide a range of services to a client entity).
Managed service providers (MSPs)© often hold data on a client’s behalf, and the OAIC noted that it received several data breach notifications where client data had been compromised as the result of a compromise of the MSP’s systems. When this occurs, the incident can amount to a ‘multi party data breach’ under the Privacy Act. This can often present logistical difficulties, as entities need to decide who notifies end users. The OAIC observed two main methods for managing a multi-party data breach over the reporting period:
The OAIC observed that in several instances, it received notification from several entities resulting from a single compromise of an MSP the entities all used. The OAIC noted that it had reasonable grounds to believe the compromise affected several other entities which did not notify the OAIC of the data breach. The entities which did not notify the OAIC were potentially in breach of their obligations to notify the OAIC and individuals in circumstances where the MSP had not coordinated the data breach response.
In summary, a key focus for any entity which experiences a data breach in 2021 should be to prioritise completing its assessment of the incident within 30 days. Entities which use MSPs should be aware that if their data is involved in the compromise of their MSP's systems, they are likely to have obligations under the NDB Scheme. To ensure obligations are met, entities should contact their MSP for information regarding the data breach response.