- Managed Cyber Security Services
- Cyber Security Services
- Cyber Security Incident Response Services
- CONTACT US
- 1300 931 727
Data breaches are common among Australian businesses, with malicious attacks, human error, and system faults continuing to compromise digital records in multiple industry sectors. In order to keep track of significant breaches, the Office of the Australian Information Commissioner (OAIC) publishes twice-yearly reports on all notifications received under the Notifiable Data Breaches (NDB) scheme. Along with the frequency, cause, and scope of security breaches, the report analysed response mechanisms regarding all notifications that involved a managed service provider (MSP).
An MSP is a third party that remotely manages IT infrastructure or systems for another entity. MSPs often work on a proactive basis under a subscription model, from the remote management and monitoring (RMM) of servers and networks to specific IT services such as data storage, vertical integration solutions, remote firewall administration, and security services. Also known as a cloud service provider or managed service provider depending on the nature and scope of the relationship, this service is supported by financial and legal agreements and delivered over the internet.
An MSP is responsible for hosting or holding data on behalf of another entity. This can create complex legal and regulatory challenges, with information often held by an individual or business along with their designated MSP. The OAIC’s Data Breach Preparation and Response guide recognises the joint nature of information ownership, with one entity typically responsible for collecting and controlling information from a legal perspective.
While every organisation has an intimate relationship with their own information, MSPs manage and control this data on their own physical servers and technology infrastructure.
In situations like this, which are extremely common, data breaches that involve one entity often involve all other entities with access to the same data. The NDB scheme lays out specific challenges and responsibilities for all entities involved, and compliance by one entity is often taken as compliance by all other entities that hold the same information. While this situation can seem complex, each entity has the freedom to take control of all compliance issues under the scheme.
In the case of multi-party security breaches, the NDB scheme lets individual entities decide what they should do based on their existing relationship. The following two responses were noted in the report:
While many businesses are happy to take on this responsibility, it is not without risk. When a security breach does occur, many entities fall short of their obligations under the NDB scheme. While MSPs are well-placed to meet the requirements of the scheme, individual businesses and organisations often lack the expertise or resources to make the right moves.
Divergence in reporting frequency and response capability has been recognised by the OAIC, with differences easy to identify when multiple entities associated with the same MSP are involved in the same data breach. In situations that involved multiple entities, only some made the appropriate notifications. If the clients of an MSP involved in a data breach fail to notify the OAIC, they may have failed to meet their obligations. If this occurs, it represents a breach of the provisions of Part IIIC of the Privacy Act.
If you’ve faced any kind of data breach, it’s essential to identify the cause of the security incident and recover any losses to your business. For comprehensive data breach investigations, practical advice, and actionable recommendations, contact Intrix Cyber Security today for a confidential consultation.
Send us your requirements, and we’ll be in touch soon!
1300 931 727
Level 13, 333 George Street
Sydney NSW 2000