Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last month, February 22, 2018. The Notifiable Data Breaches (NDB) scheme establishes new requirements for organizations around the notification of data breaches that are “likely to result in serious harm.” Following suit with the GDPR, this new law aims to provide greater protection of personal information for individuals and transparency into data privacy practices of organizations. The amendment pertains to all organizations that are already expected to comply with the Privacy Act, also referred to as APP Entities, including both federal agencies and organizations (for profit and not-for-profit) with $3 million or more in annual turnover.

Under the NDB scheme, organizations are required to report all eligible data breaches — including those from the supply chain— within 30 days to both the Australian Information Commissioner and any potentially affected individuals. Penalties for non-compliance impact both employees as well as the organization with individual fines of up to $420,000 and organizational fines of $2.1 million.

The recent amendment addresses the significant role that third parties like vendors, partners and contractors play in data breaches and their subsequent notification. Regarding the involvement of third party contractors, the amendment mandates notification of a breach by either involved party. More specifically, the amendment highlights that while a contractor may be responsible for a data breach and must disclose that breach to its customers, first party organizations can still be hit with the reputational damage a major data breach can incur. Overall, it emphasizes what we know already to be true: organizations must take responsibility for the risk assumed through working with third parties.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

With new threats emerging daily and an increased reliance on outsourced services, business leaders must be confident in their ability to manage third party risk in order to protect their organization’s most important assets. While current approaches to third party risk management are helpful, they typically only provide a moment-in-time snapshot of security risk. To proactively mitigate risk, organizations need automated tools that continuously measure and monitor the security performance of vendors.

BitSight Security Ratings for third party vendor risk management deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security of key business partners. With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with third parties about their security posture and anything that might be indicative of a data breach. BitSight’s independently verified data has been correlated to data breach and can help organizations understand the risk and likelihood of a data breach. Australian companies can use BitSight Security Ratings to help their organization align with some of the requirements set out by the Australian Privacy Principles, and provide insight into vulnerabilities facing Australian organizations and their third parties.

Request a demo to see the BitSight Security Ratings platform for yourself.