Data security breaches by third party contractors: is your organisation ready?

We have previously advised on the recent amendments to the Privacy Act¹ requiring entities who are regulated by the Act to now report both actual and suspected breaches of the Act to the Privacy Commissioner and to an individual who will potentially be affected by the breach.²

Whilst most APP entities (broadly a business with a turnover of more than $3M per annum)³ are aware that they need to have a Privacy Statement on their website, and are aware of the mandatory reporting requirements, other important issues are emerging which require careful consideration.⁴

A key area of risk to your organisation is in relation to information that your organisation shares with third parties.

APP 11 requires APP entities to take active measures to ensure the security of personal information they hold or disclose.  Specifically, APP 11.1 states that an APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure – including form third parties to whom they disclose the information.

You can obtain permission from an individual to disclose their information to a third party for certain purposes.  However, you will need to consider whether your organisation is protected, as far as practicable, in respect of data breaches by that third party.  

Whilst you can require a third party contractor to have adequate data protection systems in place, you will be unable to prevent an inadvertent data breach caused by human error, or a situation where the third party’s data is hacked.

If you share data with a third party, and their security is breached, your organisation can still be found liable for that breach.

Whilst ultimately you may be able to prove that no loss has been suffered by an individual in respect of that breach, the costs of doing so can be significant.

Now is the time to review your standard form contracts with suppliers and other third parties to ensure that they cover the issues of data breach.

You need to ensure that, as far as practicable, your organisation is protected in those circumstances.

You can ensure protection, as far as practicable, in the following ways:

Review of standard terms in your contracts with third parties

As a minimum, your standard contracts should be amended to deal with the following issues:

• the third party is to have data protection systems in place which satisfy your data security standards, provide you with details of those systems, and agree to keep those systems updated in accordance with industry standards;
• your organisation is advised of a breach, or a suspected breach, immediately;
• you have an agreed action plan with the third party should a breach or suspected breach occur and an agreed wording for notices to the individuals affected;
• the indemnities provided by third parties should make a specific reference to breaches of cyber security, and the indemnity should cover your organisation:
  
  
  • to the extent that the third party contractor was negligent or in breach of the contract, whether by omission (failing to ensure appropriate security measures were in place), or by commission (a breach due to employee error);
  • stipulate exactly what costs will be covered by the breach, such as the costs of drafting and serving notices on individuals, and the cost of data recovery;
  • your organisation’s defence costs in respect of claims should be covered.  It will often be difficult for an individual to prove actual loss as a result of the data breach, but the costs of defending a claim, particularly where a large number of individuals have been affected, can be significant;

• clarify who the data belongs to, and what happens to the data either at the end of the contract, or when software equipment used by the third party is destroyed or disposed of; and
• the data provided by your organisation cannot be shared with another party without your authorisation and that all data must be returned to your organisation or erased in a manner approved of by your organisation at the conclusion of the contract.

You need to consider if the contracting party should hold appropriate insurance for these risks.

Ensure that your organisation has appropriate insurance cover

Coverage for cyber security breaches varies significantly between insurers.

You need to speak to your broker to ensure you understand exactly what cover you have in place to protect your organisation should there be a cyber breach and, importantly, what your organisation does not have cover for.

It is common for cyber insurance polices to cover the following losses:

• loss, modification, or damage to digital assets, including restoring and updating resulting from cyber crime and computer attacks by third parties, and administrative or operational mistakes made by employees or third party providers;
• costs of extortion monies following a direct cyber extortion demand;
• public relations expenses and loss of income and expenses to mitigate a trading or profit loss caused by a public report damaging the insured’s reputation;
• lost income and mitigation for non-physical business interruptions caused by network interruption, service degradation, or network failure;
• claims brought against the insured due to a variety of breaches, namely:
  
  
  • a network security breach, and the loss or unauthorised use of network or assets;
  • transmission of a malicious code, contamination of third party data or corporate information; or
  • a breach of any third party rights, such as non-public personal or confidential corporate information (including business secrets and professional information), or employee confidentiality rights
  • defence costs, awards and fines for these breaches will also be covered in some circumstances
  • defence costs and damages for any breach of a third party’s IP rights, defamation or privacy breaches by the insured.
  • theft of physical hardware or access codes

Typically, and importantly, your organisations internal administration costs and the costs of fines and penalties are not covered by your insurer.

By taking steps to review your standard form contracts and your insurance cover now, you can minimise, as far as practicable, the risk to your organisation from a cyber attack or an inadvertent breach of the Act.