All businesses increasingly rely on other service providers to deliver their products and services, and even a small business will have a surprisingly large supply chain made of many large and small suppliers (who of course have many of their own suppliers). 

Cyber-security has focussed on how to strengthen your organisation, however incidents during 2017 at the Australian Defense Department and the Australian Red Cross Blood Service are a reminder that the weakest link in the data security chain is often not you.  Further, failing to appropriately manage your suppliers could be a breach of the Privacy Act obligation to take reasonable steps to protect the security of personal information.

So what can you practically do to mitigate the business operation and reputational risks of this happening to you?  Here are some basic starting points:

  • Know what data you collect (and why), where your data is stored, and the data flows between your organisation and your various suppliers. You’ll probably be surprised where it all is.

  • Know your suppliers. For those that will hold your data, do reasonable due diligence and take reasonable steps to verify their security practices and procedures. In most cases, they should have security policies that have been codified and certified or validated by a third party against reputable standards.

  • Have good governance that limit the people who are authorised to enter into contracts to those that understand and can manage the cyber risk specific to your business.

  • Have good contracts that impose obligations relevant to your risk profile. As a minimum, your suppliers should have and enforce appropriate security mechanisms, notify you of any incidents and comply with all relevant laws. You should also consider audit rights, data governance arrangements, data loss processes, the risk allocation regime and ensure that liability that should be borne by the supplier is not excluded or unreasonably limited.

As usual, getting ahead of these sorts of risks require some ‘boring-but-important’ work up front on people, processes and contracts. 

For advice or further information please contact:

Paul Gray
Principal Lawyer
T  03 5225 5231


Jesse Drever
T  03 5225 5226