OAIC Notifiable Data Breaches Report: Addressing third-party cyber risks 

18/03/2024

The Office of the Australian Information Commissioner’s (OAIC) recently released its latest notifiable data breaches report for July to December 2023, highlighting the continued risks of data breaches faced by organisations and third-parties. This is underscored by the notable increase in the volume of reported data breaches, increasing 19% since the previous reporting period.

Third-party data breaches arise when malicious actors target a vendor, supplier or contractor to gain access to sensitive information or systems of both their victim and the victim’s clients and business partners. This opens the potential for data breach incident to grow uncontrollably in scope, particularly where such third-party entities and their subsequent partners likewise fail to adopt robust cyber safeguards.

Such incidents are more common within an increasingly interconnected and complex global supply chain, and as more organisations outsource portions of their business operations. This underscores the need for organisations to adopt a proactive and preventative approach to get ahead of such risks and ensure continued legal compliance.

Background

When organisations fail to visualise where their data goes, the uncontrolled sharing of proprietary and sensitive data with suppliers and contractors can lead to third-party data breaches. Consequently, malicious actors leverage the wider cyber security supply chain by compromising third-party software updates, stealing login credentials from third-parties, or introducing malicious code into applications and software. The consequences faced by organisations in the event of a data breach incident can be significant:

  • Interruption of business operations;
  • Reputational damage;
  • Identity theft or fraud;
  • Financial loss;
  • Regulatory penalties; and
  • Civil lawsuits from affected parties.

This was demonstrated following the 2022 Optus data breach, which affected the personal information of up to 10 million of its customers. In its aftermath, one individual attempted to use the stolen information to blackmail dozens of Optus customers.

Government breaches

The OAIC report highlights the first instance since 2021 where the Australian government has been listed as among the top five sectors with the most reported data breaches alongside health service providers, finance, insurance, and retail.

  • The government issued 38 notifications over the period, comprising 8% of all notifications received.
  • Contrasted against the other sectors, government noted more data breaches arising from human error (68%) than those caused by malicious or criminal attacks (32%).
  • Government also had the largest proportion of notifications (50%) where the incident was identified over 30 days after it had occurred.

These statistics highlight the need for government departments to “check they have effective systems for detecting, assessing, responding to and notifying data breaches” in order to meet the notifiable data breach scheme’s requirements.

Cyber supply chain risks

The OAIC report noted the increased risks associated with outsourcing personal information handling, tracking ‘secondary notifications’ where a data breach relates to a primary notification. There was a significant increase in the number of secondary notifications (121 notifications) compared to the previous reporting period of Jan-Jun 2023 (29 notifications).

The OAIC also outlined that most of these multi-party breaches involved a cloud or software provider, which then impacted the clients who had outsourced their personal information handling to those providers.

These developments underscore the importance of cyber supply chain risk management, noting the importance for organisations to proactively address privacy and cyber security risks across contractual agreements with third-party vendors and suppliers.

Questions you should be asking include:

  • Have you implemented a supplier relationship management policy?
  • Is there a clear line of communication with your vendor or supplier in the event of suspicious activity?
  • Do you use trusted suppliers what have been previously vetted as part of your cyber supply chain management assessments?
  • Have you consulted with your vendor or supplier on how to confirm the authenticity of their products and services?
  • Has your supplier or vendor implemented baseline security and operational controls over personal information?
  • Have you implemented post-engagement data retention or destruction clauses in contractual agreements?
  • Are data breach responsibilities clearly defined?

Cyber Security

The ever-present risk of a data breach underscores the need for organisations to take active measures to minimise its likelihood and potential impact. This requires adherence with basic cyber security measures and principles across an organisation’s operations, as outlined by the Australian Cyber Security Centre and OAIC.

  • Do you have an incident response plan in place?
  • Do you have a robust password management policy in place?
  • Are your operating systems, browsers and plugins up-to-date?
  • Have you implemented multi-factor authentication?
  • Have your systems and devices been backed up?
  • Have your staff received routine cyber security training and updates?

Organisations are also encouraged to implement a Third-Party Cyber Risk Management (TPCRM) program. This will provide an organised approach to analyse, monitor, and mitigate cyber risks associated with third-party vendors and suppliers.

Data security

The OAIC report further highlights the government’s intent to adopt a stronger regulatory approach to Notifiable Data Breaches (NDB) scheme compliance.

Entities were reminded to have a considered and up‑to‑date data breach response plan before an incident occurs. Such plans are required to have:

  • Details of an entity’s insurance coverage;
  • A process for engaging an external provider to investigate a suspected data breach where necessary; and
  • Clear advice on the need for an expeditious investigation, which must be concluded within 30 days.

The OAIC’s 2023 commencement of an action against Australian Clinical Labs in the Federal Court further demonstrates the government’s intent to escalate from regulatory action to civil penalty proceedings in the event of significant non-compliance with the NDB scheme.

Summary

With the increasing volume of data breach reports, growing risks posed to third-party vendors and suppliers, and OAIC’s increasingly stern regulatory approach; organisations are encouraged to bolster both their enterprise cyber security and legal compliance with the NDB scheme.

We work with government, business, and not for profits to provide practical advice and innovative solutions to emerging issues across cyber and information and communications technology.

For advice on how to uplift your organisation’s cyber resilience, manage data breach incidents, and address potential legal risks please contact us at enquiries@griffinlegal.com.au

Contact Us

Related Articles

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more