Overview: Service providers, security and data breach notification

Types of service providers

A service provider is an organisation or person that provides any form of service to another organisation or individual.

Most service providers will have access to, use or store data or information in relation to providing a service that could be involved in a data security breach.

Such data or information may include personal information, confidential financial information or trade secrets, intellectual property and government official information.

A data security breach may arise whenever data or information of a service provider is accessed or used in any manner without permission, or is stolen, lost, corrupted, damaged or destroyed.

This may occur through the deployment of malicious code, by the acts or omissions of the service provider’s employees or contractors, and through unauthorised access to and use of a service provider’s data, or information by theft of data or information, or theft of IT devices on which such data or information is stored.

If a service provider does not maintain effective data security, it may be exposed to a number of risks, in particular, legal, financial and reputational risks.

Where a service provider subcontracts or outsources services or tasks to another party, it should ensure that the security posture of the other party is at least as effective as the security posture of the service provider.

The service provider should also consider whether the jurisdiction in which such other party is located would enable the service provider to effectively enforce contractual obligations in relation to data security against the other party.

See Types of service providers.

Preventative measures for service providers in relation to data security

A service provider can seek to prevent or minimise data security breaches from occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching data security obligations.

The specific details of what comprises an effective organisational data security compliance framework will vary between organisations, and will depend on a range of factors including a service provider’s level of compliance with data security obligations, the types of data it has access to, its structure, size, resources, industry sector, regulatory environment and the compliance issues facing the organisation.

A service provider should conduct regular audits of its IT security systems, processes, practices and policies.

The audits should be undertaken by the service provider’s IT security staff with appropriate skills and experience or by an external IT security specialist.

The findings of such audits will enable the service provider to determine what actions are required to remediate any adverse audit findings, including in relation to its IT security policies, systems, controls, processes and practices.

A service provider’s employees and contractors should receive regular training on compliance with data security requirements.

Service providers should develop and maintain a positive and strong compliance culture in relation to data security obligations.

Service providers should also implement effective internal governance processes and oversight of data security issues.

See Preventative measures for service providers in relation to data security.

Obligations to respond appropriately to data breaches

To determine how to respond to a data security breach, a service provider should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is the perpetrator of the breach:
  • who is affected by the data security breach; and
  • what are the potential consequences for the service provider and those affected by the data security breach.

A service provider should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • who is the perpetrator of the breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the service provider in relation to a data security breach.

It is important for a service provider to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for a service provider to identify the cause(s) of a data security breach, to help it determine an appropriate response.

Once a service provider has identified the nature and cause(s) of the data security breach, it can:

  • prepare its response plan; and
  • implement remedial measures to seek to avoid any recurrences of the data security breach.

The nature of a data security breach, eg a breach of the Privacy Act 1988 (Cth) or a breach of a commercial contract in relation to privacy or data security, may require notification to affected parties or regulators within specified periods of time, and may also require a level of cooperation and disclosure in relation to subsequent investigations. See Overview — The data breach notification regime.

It is also important for a service provider to identify the actual and potential consequence(s) of a data security breach.

Promptly upon becoming aware of a data security breach, a service provider should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

There is a range of issues for a service provider to consider when responding to a data security breach where the service provider is at fault, including breach notification requirements and communications with affected parties.

There is also a range of issues for a service provider to consider when it is affected by a data security breach by another organisation.

See Obligations to respond appropriately to data breaches.

Managing disaster recovery and business continuity

The concept of disaster recovery usually refers to the ability of an organisation to resume or continue its normal operations or provision or services following the occurrence of an unforeseen, serious incident that caused interruption to its normal operations or provision of services.

Most organisations maintain some form of disaster recovery plan and business continuity plan.

There are a number of international standards relating to business continuity. There are a number of issues for an organisation to consider when preparing a disaster recovery plan and a business continuity plan.

See Managing disaster recovery and business continuity.