What To Do If a Third Party Mishandles Data Your Organisation Shared with It
Earlier this year, news broke about a third-party data breach that impacted the personal information of customers of The Good Guys. Their former loyalty program supplier, My Rewards, was compromised and their customers’ names, email addresses, and phone numbers were published on the internet.
It’s crucial that your organisation quickly enacts its third-party data breach response plan if a third party mishandles the data you share with it. In this post, we’ll outline some considerations you should keep top of mind after a third party has mishandled the data you shared with it.
What To Do If a Third Party Mishandles Data
Step 1: Decide If You Need to Activate Your Incident Response/Data Breach Plan
If you learn that a third party has mishandled data your organisation shared with it, your first step will be to work with the third party to determine what’s happened and what they’re doing about it.
You will need to gather information to determine if your customer’s personal information has been exposed or exfiltrated. (In other words, you’ll need to work with the third party to first determine if a data breach has occurred.) If it has, you’ll then need to activate your incident response plan internally, including setting up frequent communications with the third party to ensure their response is adequate and to establish a clear and regular flow of information.
Step 2: Implement Your Communications Plan
Your organisation’s Communications Plan should reflect your planned internal and external communications. It should integrate with that of your third party, so that you’re presenting consistent and accurate information.
This requires your third party to communicate transparently about the breach in a timely way. In practice, this will largely be dependent on your relationship with your third party. However, you should also include general contractual language in your contract around this.
In terms of your external communications, you need to make sure you don’t make any misleading statements about the breach, which can be challenging – particularly in the early stages. You also need to balance providing affected individuals with information they need to protect themselves with publicly sharing information that may increase the risk or put them at further risk. The difficulty of this is compounded by the fact that you’re relying on information coming from your third party.
Your internal communications should share important information with your team, so they pass on accurate information. You should also anticipate questions people will ask and let relevant team members know the answers. Consistency from your team in their response to the breach can help to protect your reputation, and your communications with them should empower them to provide consistent (and accurate) information.
Step 3: Review Your Notification Obligations
Your organisation may have notification obligations if your customer’s data was breached via your third-party supplier. It doesn’t necessarily matter whether or not your systems were breached.
The OAIC says:
“…an eligible data breach of one entity will also be considered an eligible data breach of other entities that hold the affected information. Both will have obligations under the NDB scheme.”
However, the OAIC suggests that, as a general rule, the organisation with the most direct link to the customer should be the party that notifies the customers of the breach.
You can see more from the OAIC about the Notifiable Data Breach Scheme. We’ve also published a basic (but detailed) guide to the Notifiable Data Breach Scheme in Australia.
Step 4: Participate in the Investigation of the Breach.
In our coverage of the Optus Data Breach, we noted that the Australian Government explicitly stated that Optus is not cooperating, and its response is not good enough. Optus’ response to the breach was also widely criticised in the media and by its customers – and it’s safe to say that this had a swift negative impact on its reputation.
It’s critical that any organisation that has experienced a breach (including a breach via a third party) cooperates with regulators – since the Australian Government has made it clear that it will call out companies that don’t.
However, it is more likely that it will be the third party taking the reins on the investigation in the case of a third-party breach. In this instance, hopefully you have some contractual provision to share the investigation details with you.
Ideally, your relationship with your third party is good enough at this stage that you can probe them to ensure they’re doing the right thing throughout the investigation.
Step 5: Loop in Your Cyber Liability Insurer, If You Have One.
Despite the breach occurring via a third party, it is likely that you will incur (potentially significant) costs to notify your customers and take remedial action, in addition to legal costs. Your cyber liability insurance may cover some or all of your costs following a third-party data breach (depending on your policy wording).
Step 6: Consider Transitioning to a New Supplier.
Finally, you should consider whether the third-party suppliers mishandling of your data was severe enough to warrant moving to a new supplier – or even making changes to your operations.
You should strongly consider the impact that the breach has had on your customers and their trust in your company. Your organisation should balance the impact of that loss of trust on its operations and decide whether the outsourced service is worth the potential legal and reputational risk that comes with sharing the data with a third party.
If you decide that the services are ‘worth it’, then you’ll need to decide whether the breach warrants transitioning to a new supplier. If so, you should properly vet any new supplier and ask these questions before signing on with someone new.
Plan for a Data Breach with Privacy 108
To help ensure the right people, processes and systems are in place, our team will work with you to develop an information security incident and data breach response plan, tailored for your organisation.
Our approach involves discussions with all stakeholders, review of relevant organisational policies and procedures and familiarising ourselves with existing systems to make sure the information security incident and data breach response we create aligns to your culture and is fit for purpose for your organisation.
Reach out to find out more: