Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

Alex Campanelli | March 16, 2018 | tag: Regulation & Compliance

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last month, February 22, 2018. The Notifiable Data Breaches (NDB) scheme establishes new requirements for organizations around the notification of data breaches that are “likely to result in serious harm.” Following suit with the GDPR, this new law aims to provide greater protection of personal information for individuals and transparency into data privacy practices of organizations. The amendment pertains to all organizations that are already expected to comply with the Privacy Act, also referred to as APP Entities, including both federal agencies and organizations (for profit and not-for-profit) with $3 million or more in annual turnover.


Under the NDB scheme, organizations are required to report all eligible data breaches — including those from the supply chain— within 30 days to both the Australian Information Commissioner and any potentially affected individuals.  Penalties for non-compliance impact both employees as well as the organization with individual fines of up to $420,000 and organizational fines of $2.1 million.

The recent amendment addresses the significant role that third parties like vendors, partners and contractors play in data breaches and their subsequent notification. Regarding the involvement of third party contractors, the amendment mandates notification of a breach by either involved party. More specifically, the amendment highlights that while a contractor may be responsible for a data breach and must disclose that breach to its customers, first party organizations can still be hit with the reputational damage a major data breach can incur. Overall, it emphasizes what we know already to be true: organizations must take responsibility for the risk assumed through working with third parties.

With new threats emerging daily and an increased reliance on outsourced services, business leaders must be confident in their ability to manage third party risk in order to protect their organization’s most important assets. While current approaches to third party risk management are helpful, they typically only provide a moment-in-time snapshot of security risk. To proactively mitigate risk, organizations need automated tools that continuously measure and monitor the security performance of vendors.

BitSight Security Ratings for third party vendor risk management deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security of key business partners. With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with third parties about their security posture and anything that might be indicative of a data breach. BitSight’s independently verified data has been correlated to data breach and can help organizations understand the risk and likelihood of a data breach. Australian companies can use BitSight Security Ratings to help their organization align with some of the requirements set out by the Australian Privacy Principles, and provide insight into vulnerabilities facing Australian organizations and their third parties. 

Request a demo to see the BitSight Security Ratings platform for yourself.Get Your Rating 

Suggested Posts

7 Cybersecurity Frameworks That Help Reduce Cyber Risk

While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...


FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...


Subscribe to get security news and updates in your inbox.