Menu Search through site content What are you looking for?
Menu

Insights from the OAIC’s latest NDB Report and Supply Chain Risks

  • Legal Development 15 March 2021 15 March 2021
  • Asia Pacific

The information security sector is off to a challenging start in 2021, with businesses needing to face off significant cyber risk via their third party vendors. Multi-billion dollar businesses and Government institutions have been impacted by the Solarwinds and Accellion incidents, and now hundreds of thousands of businesses are scrambling to patch zero-day vulnerabilities in Microsoft exchange servers. 

In January 2021, the Office of the Australian Information Commissioner (OAIC) released its latest report analysing data breaches reported to the OAIC under the Notifiable Data Breaches Scheme over the previous reporting period (June 2020 – December 2020). Given the increasing frequency of third party data breaches, businesses should be aware of the OAIC’s views:

  • on third party data breaches and supply chain risk as outlined in the report; and
  • the 30 day timeframe to investigate a breach. 

Summary 

In summary: 

  • The OAIC is cracking down on entities which do not investigate a breach within the 30 day timeframe; and 
  • if your managed service provider experiences a breach, you may also have obligations to investigate the incident. 

The 30-day timeframe

What is the 30-day timeframe?

Under the Privacy Act, an entity which suspects that a data breach has occurred has 30 days to investigate whether the incident meets the threshold to be considered an ‘eligible data breach’. The entity must consider whether personal information it holds has been subject to unauthorised access, disclosure or loss, and whether this unauthorised access, disclosure or loss would be likely to result in serious harm to any affected individuals. This might occur if (for example) a website is misconfigured and personal information is accidentally published online, or a criminal group posts stolen data to the dark web. 

If the circumstances of the incident meet the threshold, the entity must notify the OAIC and individuals who are at risk of ‘serious harm’ that an eligible data breach has occurred. Unlike the 30 days an entity has to investigate a breach, entities have no set timeframe within which they must notify the OAIC and affected individuals. The Privacy Act only requires that entities notify the OAIC and affected individuals ‘as soon as is practicable’.

What are the OAIC’s views on the 30-day timeframe?

The OAIC has spent considerable time in this report setting out its expectations regarding the time an entity has to assess whether an eligible data breach has occurred, and how quickly entities notify the OAIC and affected individuals. The OAIC highlighted that 23 entities had taken longer than 120 days after they became aware of the incident to notify the OAIC. The OAIC reiterated that entities must take ‘all reasonable steps’ to ensure their assessment of a breach took no longer than 30 days.

In short, the OAIC’s discussion of the 30-day timeframe indicates that it is paying particular attention to entities which do not take all reasonable steps to complete their eligible data breach assessment within 30 days. Any entity which suspects that an eligible data breach has occurred should therefore consider prioritising resources so that it can meet its obligations under the NDB Scheme to carry out a reasonable and expeditious assessment within the 30-day timeframe. Any entity which is unable to meet its obligations should be prepared to justify the steps it took to complete its assessment to the OAIC.

Key takeaways

  • Entities must take all reasonable steps to ensure their eligible data breach assessment is completed within 30 days.
  • Where an entity cannot complete its assessment within 30 days, the entity should document the steps taken to complete the assessment to be able to demonstrate that all reasonable steps were taken, the reasons for the delay and that the assessment was reasonable and expeditious.

Managed service provider data breaches

The OAIC also spent considerable time discussing its observations regarding breaches involving MSPs (i.e. entities which provide a range of services to a client entity).

Managed service providers (MSPs)© often hold data on a client’s behalf, and the OAIC noted that it received several data breach notifications where client data had been compromised as the result of a compromise of the MSP’s systems. When this occurs, the incident can amount to a ‘multi party data breach’ under the Privacy Act. This can often present logistical difficulties, as entities need to decide who notifies end users. The OAIC observed two main methods for managing a multi-party data breach over the reporting period:

  1. Strategy 1: In several instances, the MSP managed all aspects of the data breach response in consultation with clients. This included notifying the OAIC and affected individuals.
  2. Strategy 2: In other cases, the MSP notified its clients of the breach but left it up to clients to notify end users.

The OAIC observed that in several instances, it received notification from several entities resulting from a single compromise of an MSP the entities all used. The OAIC noted that it had reasonable grounds to believe the compromise affected several other entities which did not notify the OAIC of the data breach. The entities which did not notify the OAIC were potentially in breach of their obligations to notify the OAIC and individuals in circumstances where the MSP had not coordinated the data breach response.

Key takeaways

  • The key takeaway from the OAIC’s commentary regarding MSP breaches is that if an entity uses an MSP and the entity’s data is affected by a data breach, it has obligations under the NDB Scheme to investigate the incident and notify the OAIC and affected individuals, unless the MSP coordinates data breach response.
  • If an entity’s MSP does not coordinate the response, an entity should investigate the incident to the extent possible and notify individuals and the OAIC in order to comply with NDB Scheme requirements.

In summary, a key focus for any entity which experiences a data breach in 2021 should be to prioritise completing its assessment of the incident within 30 days. Entities which use MSPs should be aware that if their data is involved in the compromise of their MSP's systems, they are likely to have obligations under the NDB Scheme. To ensure obligations are met, entities should contact their MSP for information regarding the data breach response.

Themes:

Additional authors:

Chloe Sevil

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!