Outsourced, but not off the hook: who’s accountable in a third-party privacy breach?

As supply chains and the use of cloud services grow, New Zealanders are increasingly seeing their personal information exposed through breaches involving major organisations.  Many of these sorts of breaches stem not from internal failures but from vulnerabilities in third-party systems.  The growing risk of third-party breaches, creates legal and reputational consequences for organisations and requires practical steps in order to mitigate exposure.  

These incidents serve as a stark reminder for organisations responsible for personal information that outsourcing services does not outsource responsibility. 
Under the Privacy Act 2020, organisations remain responsible for personal information even when it is handled by their external providers providing services to them or on their behalf (such as IT providers, cloud services, payroll providers, and payment processors).  
There is a common thread among some of the recent examples of third-party breaches involving the personal information of New Zealanders – the breach originated from a third-party platform or vendor and was exposed through the actions of a malicious actor (such as a cyber-attack targeting vulnerabilities and being able to exploit an unprotected database).  

What does the Privacy Act say about these situations?•  

• Organisations which collect personal information are responsible for that information even where it is handled by third parties on their behalf.  

• Organisations must ensure that personal information is stored securely, and that disclosure is carefully controlled. 

•  Where a privacy breach occurs which the organisation believes has caused or is likely to cause serious harm (a “notifiable privacy breach”), it must be notified to the affected individuals (unless limited exceptions apply) and the Office of the Privacy Commissioner, ideally within 72 hours.

Notifiable breaches can become tricky where the issue originates from a third party’s system…

If an organisation is unable (whether temporarily or permanently) to access personal information for which they are responsible, they will be experiencing a privacy breach.  
However challenging situations can arise when a third-party service provider suffers a data incident which affects personal information they hold on behalf of the responsible organisation.  In order to comply with their obligations under the Privacy Act, the responsible organisation needs to know that the data incident is happening – which is not always the case if there is no strong contractual relationship in place.  Without that strong contractual basis to notify one another, the organisation may not know what is happening to the service provider’s systems and may be unaware that as a result they have obligations to respond to a privacy breach.
Failing to notify a notifiable privacy breach can lead to a complaint to and investigation by the Office of the Privacy Commissioner, and is likely to have a reputational impact which negatively affects public trust and confidence in the organisation – especially if the breach is a large scale one or involves sensitive personal information.

So what can organisations do to manage this risk of third-party privacy breaches?

• Due diligence: organisations should conduct careful due diligence into potential third-party service providers before engaging them, including looking into their security practices and the terms they propose around privacy and data protection.

• Contractual safeguards: contracts with third-party service providers should have strong privacy clauses and breach notification obligations.  

• Ongoing oversight: organisations may also want to build in rights to audit the service provider and receive regular reporting to ensure ongoing commitment to agreed terms.

• Incident response planning: all organisations responsible for personal information should have data incident response plans in place, and the plans should include third-party breach scenarios. 

• Governance issue: boards and executives leading organisations must treat privacy risks, including third-party breaches, as a governance issue – not just an IT one.