Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

Alex Campanelli | March 16, 2018 | tag: Regulation & Compliance

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last month, February 22, 2018. The Notifiable Data Breaches (NDB) scheme establishes new requirements for organizations around the notification of data breaches that are “likely to result in serious harm.” Following suit with the GDPR, this new law aims to provide greater protection of personal information for individuals and transparency into data privacy practices of organizations. The amendment pertains to all organizations that are already expected to comply with the Privacy Act, also referred to as APP Entities, including both federal agencies and organizations (for profit and not-for-profit) with $3 million or more in annual turnover.


Under the NDB scheme, organizations are required to report all eligible data breaches — including those from the supply chain— within 30 days to both the Australian Information Commissioner and any potentially affected individuals.  Penalties for non-compliance impact both employees as well as the organization with individual fines of up to $420,000 and organizational fines of $2.1 million.

The recent amendment addresses the significant role that third parties like vendors, partners and contractors play in data breaches and their subsequent notification. Regarding the involvement of third party contractors, the amendment mandates notification of a breach by either involved party. More specifically, the amendment highlights that while a contractor may be responsible for a data breach and must disclose that breach to its customers, first party organizations can still be hit with the reputational damage a major data breach can incur. Overall, it emphasizes what we know already to be true: organizations must take responsibility for the risk assumed through working with third parties.

With new threats emerging daily and an increased reliance on outsourced services, business leaders must be confident in their ability to manage third party risk in order to protect their organization’s most important assets. While current approaches to third party risk management are helpful, they typically only provide a moment-in-time snapshot of security risk. To proactively mitigate risk, organizations need automated tools that continuously measure and monitor the security performance of vendors.

BitSight Security Ratings for third party vendor risk management deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security of key business partners. With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with third parties about their security posture and anything that might be indicative of a data breach. BitSight’s independently verified data has been correlated to data breach and can help organizations understand the risk and likelihood of a data breach. Australian companies can use BitSight Security Ratings to help their organization align with some of the requirements set out by the Australian Privacy Principles, and provide insight into vulnerabilities facing Australian organizations and their third parties. 

Request a demo to see the BitSight Security Ratings platform for yourself.Get Your Rating 

Suggested Posts

What Is Cybersecurity Compliance? An Industry Guide

If you operate in specific sectors, cybersecurity maturity is more than a best practice, it’s a regulatory requirement. These regulations are complex and constantly changing. To help you better understand your organization's regulatory...


Taking Data Privacy Further: Prioritizing Privacy and Continuous Improvement

BitSight, the Standard in Security Ratings, has established itself as not only a clear leader in security ratings but now also in the burgeoning field of data privacy.


A Deep Dive into the Digital Operational Resilience Act

The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will...


Get the Weekly Cybersecurity Newsletter.