As we approach the mandatory breach reporting regime under the Privacy Act 1988 commencing in February in 2018, one of the preparatory steps is to review the contractual arrangements organisations have in place with various suppliers and other service providers that may have access to, hold or use, personal information about their clients.
It seems that in many breaches, including the most recent Dominos breach this month, there is a question mark around in whose system the information was held at the time of the breach, and accordingly who is responsible for investigating, reporting and remedying the breach. In a statement placed by Dominos on its website regarding unauthorised spam emails, Dominos said:
“There is no evidence to suggest that there has been any unauthorised access to Dominos systems. We are investigating a potential issue with a former supplier’s system that may have led to a number of customer email addresses, names and store suburbs (related to pizza orders) being accessed as a result.”
Similarly, in the September 2016 breach of the Australian Red Cross Blood Service the breach was determined to be caused by an employee of a third party provider to Red Cross saving a database file to a public facing website containing information on approximately 550,000 prospective blood donors.
These examples serve to illustrate that not only is it necessary to ensure that privacy compliance is dealt with as a contractual matter with the organisation’s suppliers, but also that there are audit and operational provisions to ensure security.
The new rules will require a potential breach incident to be assessed and for individuals affected to be notified within 30 days if there is a suspicion of serious harm. This means breached businesses will want the cooperation of their third party service providers to help them to investigate and manage customer relationships and reputations.
On this basis we consider that all organisations which allow third party service providers access to their data need to upgrade their current contractual arrangement to include specific mutual cooperation provisions to deal with the consequences of a breach.
Given that dealing with a breach is often a crisis management situation in its own right, having prepared responses, roles and liaison protocols in place both within the business and with business partners can make the difference between a well-managed breach and a reputational and public relations fiasco.