The Office of the Australian Information Commissioner (OAIC) has sounded a warning to managed service providers (MSPs) to ensure they are reporting breaches, even if their customers do not.
In the latest Notifiable Data Breaches Report [pdf] which covered the second half of 2020, the Commissioner warned MSPs that it was the responsibility of both the holder and the customer to determine which party would report a data breach to the Government.
The OAIC said it had received a number of notifications involving an MSP hosting or holding data on behalf of one or more customers.
The OAIC has stated that it considers a data breach at a customer to be a data breach at the MSP and vice versa.
While both entities are not required to report, at least one is and the OAIC warned that MSPs needed to establish this clearly with the customer.
“The OAIC has seen different responses by entities involved in multi-party breaches. In several instances, the MSP managed all aspects of the data breach response in consultation with its clients and coordinated the notification to the OAIC and individuals affected by the data breach,” the OAIC stated in the report.
“In some other cases, MSPs notified their clients of the data breach but otherwise left to them the responsibility for meeting the assessment and notification requirements of the NDB scheme.
“This approach broadly corresponds with OAIC guidance that suggests the entity with the most direct relationship with the individuals affected by the data breach should generally carry out the notification.”
The OAIC went on to say that this approach was, “not without risk and may result in entities falling short of their obligations under the NDB scheme”.
The commissioner reported it had received notifications from multiple entities that experienced a data breach resulting from a single compromise of an MSP they all used.
“However, the OAIC had grounds to believe the compromise had also affected several other entities that did not notify the OAIC of the data breach.”
In the report, the Commissioner warned that in such an instance, both the MSP and the clients that did not notify the OAIC may have failed to meet their obligations under the Privacy Act.
“A failure by both the MSP and its clients to notify the OAIC and individuals at risk of serious harm from a data breach will represent a breach of the provisions of Part IIIC of the Privacy Act, and will likely constitute an interference with privacy by all."