<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Regulation & Compliance

Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

Alex Campanelli | March 16, 2018

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last month, February 22, 2018. The Notifiable Data Breaches (NDB) scheme establishes new requirements for organizations around the notification of data breaches that are “likely to result in serious harm.” Following suit with the GDPR, this new law aims to provide greater protection of personal information for individuals and transparency into data privacy practices of organizations. The amendment pertains to all organizations that are already expected to comply with the Privacy Act, also referred to as APP Entities, including both federal agencies and organizations (for profit and not-for-profit) with $3 million or more in annual turnover.
Under the NDB scheme, organizations are required to report all eligible data breaches — including those from the supply chain— within 30 days to both the Australian Information Commissioner and any potentially affected individuals.  Penalties for non-compliance impact both employees as well as the organization with individual fines of up to $420,000 and organizational fines of $2.1 million.

The recent amendment addresses the significant role that third parties like vendors, partners and contractors play in data breaches and their subsequent notification. Regarding the involvement of third party contractors, the amendment mandates notification of a breach by either involved party. More specifically, the amendment highlights that while a contractor may be responsible for a data breach and must disclose that breach to its customers, first party organizations can still be hit with the reputational damage a major data breach can incur. Overall, it emphasizes what we know already to be true: organizations must take responsibility for the risk assumed through working with third parties.

With new threats emerging daily and an increased reliance on outsourced services, business leaders must be confident in their ability to manage third party risk in order to protect their organization’s most important assets. While current approaches to third party risk management are helpful, they typically only provide a moment-in-time snapshot of security risk. To proactively mitigate risk, organizations need automated tools that continuously measure and monitor the security performance of vendors.

BitSight Security Ratings for third party vendor risk management deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security of key business partners. With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with third parties about their security posture and anything that might be indicative of a data breach. BitSight’s independently verified data has been correlated to data breach and can help organizations understand the risk and likelihood of a data breach. Australian companies can use BitSight Security Ratings to help their organization align with some of the requirements set out by the Australian Privacy Principles, and provide insight into vulnerabilities facing Australian organizations and their third parties. 

Request a demo to see the BitSight Security Ratings platform for yourself.Request A Demo 

Suggested Posts

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high...

READ MORE »

NIST Cybersecurity Framework Now Includes Supply Chain Risk Management Category

Recently, the National Institute of Standards & Technology (NIST), released an updated Version 1.1 of the NIST Cybersecurity Framework that now includes a new category on “Supply Chain Risk Management.”

READ MORE »

How Security Ratings Can Help Organizations Adhere to Hong Kong’s Cybersecurity Guidelines

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the...

READ MORE »

Subscribe to get security news and updates in your inbox.