Third Party Privacy Risk: A Legal and Risk Perspective

In Australia, recent large scale data breaches showcase the consequences of potential vulnerabilities within supply chains and outsourcing arrangements with third parties.  A supplier or third party that experiences a security incident can set off a chain reaction endangering customers, business continuity, legal compliance, and cause significant financial loss. 

Robust data protection and security clauses in supplier and third-party contracts are an important component of the frontline defence against these risks. 

In practice, generic contractual clauses that do not spell out the required security measures a supplier needs to implement, can expose the purchaser to legal liability. In addition, they may not have a recourse against the supplier because the data protection requirements are unclear. Contracts should always impose specific organisational and technical measures that suppliers must implement to safeguard information assets. 

Regulators and customers alike are taking legal actions against Australian organisations that fail to do so (e.g. Optus class action and OAIC litigation against Medibank). This article outlines 4 steps that organisations can take to better secure information assets in contracts with vendors. 

Know Your Privacy Obligations

Regulated entities subject to the Australian Privacy Act 1988 are mandated to “take steps as are reasonable in the circumstances to protect personal and sensitive information: “from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure”. This obligation ensures that organisations implement adequate safeguards to maintain the integrity and confidentiality of personal information.

The Privacy Bill 2024 proposes changes to this obligation by clarifying that reasonable steps include technical and organisational steps.

This security obligation needs to be read in conjunction with the first Australian Privacy Principle (APP), which obliges regulated entities to:

“take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity”.

APP 1 is a foundational obligation that underscores the importance of managing information security and privacy risk through appropriate governance structures. Organisations are accountable to operationalise a privacy compliance framework that is taking a proactive approach to data protection and the respective privacy obligations.

Similar, yet not identical obligations, apply in relation to specific types of personal information under the Privacy Credit Reporting Code 2014, Privacy Tax File Number Rules 2015, and Consumer Data Rights Act 2019. Consideration should also be given to security and confidentiality obligations that may arise from professional secrecy laws, the director’s duty of care, and industry specific regulations etc.

For instance, APRA regulated entities are subject to specific information security obligations that address supply chain security risks. APRA regulated entities must

“take reasonable steps to satisfy itself that the third party has sufficient information security capability to manage the additional threats and vulnerabilities resulting from such arrangements”.

Once all applicable obligations have been identified, it is time to assess the privacy, information risk and (cyber) security measures that the prospective supplier currently has in place.

2. Complete Risk Assessments

Thorough risk assessments are important to demonstrate to regulators that prudent steps were taking the ensure that third parties have the necessary technical and organisational measures in place to protect information assets, including personal information.

Third-party privacy risk management and supplier due diligence are critical for managing business and compliance risks. Third party risk assessments identify security, data, and privacy risks that may arise from the fact that a third party will be accessing or using personal information and suggest measures how each risk should be treated.

For example, risks identified may relate to an organisation’s operations, shareholder value, reputation, assets, and customers. Identified risks are evaluated for how likely it is that a risk may cause harm and its consequences considering the threat landscapes, known organisational or technical vulnerabilities.

Risk treatment options will depend on the type of procedures and techniques that the third party has already deployed to manage the risks. What is an acceptable risk will vary on an organisations risk appetite, business objective, and the volume, nature, and risks to individuals.

Invariably, risk treatment options involve recommendations that appropriate security standards are imposed through contractual measures. 

3. Translate Risk Assessments into Contracts

The recommendations from the supplier risk assessments are the drafting instructions for the lawyers that negotiate the contract with the supplier or third-party service provider. To be effective, the findings and recommendations from the respective risk assessments need to be translated into the contract.

In practice, there is however often a disconnect between recommended security controls and the terms of the contract.

For example, a risk assessment may recommend that require the supplier to implement cryptographic deletion measures, multi factor authentication, and an identify and access management system. Yet, the actual supplier contract merely requires that the supplier:

“take reasonable steps to prevent unauthorised access to or loss of Personal Information and Confidential Information and the services, systems, devices or media containing this information”.

In this case it is unclear what ‘reasonable steps’ the vendor needs to take. There is no mention of cryptographic deletion or MFA standards. Generic contractual clauses significantly undermine an organisation’s ability to manage security risk in supply chain.

In the event that the supplier suffers a data breach, it may leave the purchase without or limited legal recourse. And regulators may ask uncomfortable questions. 

Around a quarter of APRA’s regulated entities (~24%) were assessed in the first tranche of CPS 234 assessments. The most common control gaps identified by APRA’s we:

1. incomplete identification and classification for critical and sensitive information assets;
2. limited assessment of third-party information security capability;
3. inadequate definition and execution of control testing programs; 
4. incident response plans not regularly reviewed or tested;
5. limited internal audit review of information security controls; and
6. inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

Let’s compare this security clause to the way service levels are typically defined. A service-level agreement sets out the expected level of service (e.g. uptime of service) from a vendor, laying out metrics by which service is measured, as well as remedies if the service levels are not achieved.

Service levels are a critical component of any contract with technology vendors. Purchasers should approach contractual privacy and security obligations in the same way by inserting specific security measures and techniques from vendors. This can either be achieved by reference to a specific international security standard (not ‘industry best practice’) and/or by specifying non-negotiable security measures that must be maintained throughout the term of the contract. The consequences of not upholding the contractual agreed security standards should also be addressed (e.g. termination rights, damages). Generic and vague security clauses may undermine or even invalidate the risk management process and open the purchaser up to liability.

Example Security Measures for third party contracts

• Layered Security Controls: Implement layered security controls to avoid single points of failure.
• Multi-Factor Authentication: Enforce multi-factor authentication for access to systems and data.
• Password Management Policies: Establish and enforce robust password management policies.
• Access Control: Ensure users have appropriate access levels based on their roles and responsibilities. Monitor and review accounts with privileged permissions.
• Security Monitoring: Implement robust security monitoring processes to detect and respond to incidents in a timely manner.
• Third-Party Oversight: Maintain effective oversight of third-party providers to ensure they have robust information security capabilities.
• Regular Reviews and Improvements: Regularly review practices and systems, assess critical and sensitive infrastructure, and act on areas for improvement promptly.
• Specify Consequences for Non-Compliance: Define the consequences of not implementing or maintaining agreed security protocols (e.g., termination rights, indemnities, damages).
• Incident Management Process: Outline a comprehensive incident management process.
• Training for Supplier Personnel: Specify training requirements for supplier personnel.
• Subcontracting Conditions: Define conditions for subcontracting and require subcontractors comply with the same information security requirements.
• Third-Party Attestations or Certifications: Require third-party attestations or certifications to verify the supplier’s ongoing information security capabilities.
• Backup and Disaster Recovery: Implement a robust backup and disaster recovery policy aligned with organizational needs. Operate a separate disaster recovery location for data resilience.
• Change Management Policy: Enforce a comprehensive change management policy with advance notifications, including change of ownership.
• Physical Security Controls: Implement physical on-site security controls appropriate to the information processed.
• Data Transfer Protection: Protect data during transfers between servers or storage locations etc.
• Termination Procedures: Outline comprehensive actions for termination, including asset disposal, information deletion, IP return, and access rights removalSecure Information Destruction: Define and ensure secure destruction, deletion, or de-identification of organisational information when no longer required.
• Regular Audits and Assessments: Include provisions for regular audits and assessments of the supplier’s security practices.

4. Monitoring and Review

Being satisfied that a vendor has currently robust information security frameworks in place is the first step. The second step is to ensure that the vendor continuous to maintain and test their information security capabilities. Effective security management within supply chains requires continuous monitoring, tested, and adapted to changes in the risk or regulatory landscapes.

5. Conclusion

Third Party Privacy and Security risk assessments are not an end in themselves. Instead, they need to influence the content of a contract with a third party that information assets are shared with. Security and privacy clauses should reflect the outcomes of the respective pre-engagement risk assessments. In most instances, this requires specific organisational and technical measures that suppliers must implement to safeguard information assets.