Data breaches are common among Australian businesses, with malicious attacks, human error, and system faults continuing to compromise digital records in multiple industry sectors. In order to keep track of significant breaches, the Office of the Australian Information Commissioner (OAIC) publishes twice-yearly reports on all notifications received under the Notifiable Data Breaches (NDB) scheme. Along with the frequency, cause, and scope of security breaches, the report analysed response mechanisms regarding all notifications that involved a managed service provider (MSP).
What is an MSP?
An MSP is a third party that remotely manages IT infrastructure or systems for another entity. MSPs often work on a proactive basis under a subscription model, from the remote management and monitoring (RMM) of servers and networks to specific IT services such as data storage, vertical integration solutions, remote firewall administration, and security services. Also known as a cloud service provider or managed service provider depending on the nature and scope of the relationship, this service is supported by financial and legal agreements and delivered over the internet.
MSPs and data breaches
An MSP is responsible for hosting or holding data on behalf of another entity. This can create complex legal and regulatory challenges, with information often held by an individual or business along with their designated MSP. The OAIC’s Data Breach Preparation and Response guide recognises the joint nature of information ownership, with one entity typically responsible for collecting and controlling information from a legal perspective.
While every organisation has an intimate relationship with their own information, MSPs manage and control this data on their own physical servers and technology infrastructure.
In situations like this, which are extremely common, data breaches that involve one entity often involve all other entities with access to the same data. The NDB scheme lays out specific challenges and responsibilities for all entities involved, and compliance by one entity is often taken as compliance by all other entities that hold the same information. While this situation can seem complex, each entity has the freedom to take control of all compliance issues under the scheme.
Who holds responsibility for multi-party breaches?
In the case of multi-party security breaches, the NDB scheme lets individual entities decide what they should do based on their existing relationship. The following two responses were noted in the report:
- In many situations, the MSP in question managed all aspects of the data breach response, consulting with clients and coordinating the recovery and notification process.
- In other cases, the MSP in question notified all clients of the data breach and let them take control of all assessment and notification requirements.
While many businesses are happy to take on this responsibility, it is not without risk. When a security breach does occur, many entities fall short of their obligations under the NDB scheme. While MSPs are well-placed to meet the requirements of the scheme, individual businesses and organisations often lack the expertise or resources to make the right moves.
Divergence in reporting frequency and response capability has been recognised by the OAIC, with differences easy to identify when multiple entities associated with the same MSP are involved in the same data breach. In situations that involved multiple entities, only some made the appropriate notifications. If the clients of an MSP involved in a data breach fail to notify the OAIC, they may have failed to meet their obligations. If this occurs, it represents a breach of the provisions of Part IIIC of the Privacy Act.
If you’ve faced any kind of data breach, it’s essential to identify the cause of the security incident and recover any losses to your business. For comprehensive data breach investigations, practical advice, and actionable recommendations, contact Intrix Cyber Security today for a confidential consultation.
