Why ‘It’s Not Our Fault’ No Longer Protects Your Organisation
The era of outsourcing accountability is over. Australia’s consumer data right determination shows why organisations can no longer hide behind third parties.
The most expensive words in cybersecurity might just be “it’s not our fault.” On 28 May 2025, the Australian Privacy Commissioner delivered a wake-up call.
In a landmark determination, Regional Australia Bank (RAB) was held liable for a data breach caused entirely by their third-party service provider, Biza Pty Ltd, even though RAB had no knowledge of the breach.
This precedent-setting case under Australia’s Consumer Data Right (CDR) regime signals a fundamental shift in how regulators view organisational accountability. The message is clear: when it comes to data protection and compliance, the buck stops with you.
The Case That Changed Everything
The breach itself was relatively small in scale. CDR data from up to 197 consumers was co-mingled and inaccurately disclosed due to software issues within Biza’s systems. The problem was only discovered when a consumer found banking transactions that didn’t belong to them. Small breach, massive implications.
Despite RAB having no direct involvement in the technical failure, the Australian Privacy Commissioner found them in violation of two critical CDR privacy safeguards:
- Safeguard 1: Data holders must implement effective data governance frameworks for managing, securing, and maintaining the integrity of consumer data
- Safeguard 11: Data holders must take reasonable steps to ensure CDR data is accurate, current, and complete
The determination was unambiguous, and outsourcing data processing doesn’t relieve organisations of their ongoing responsibility to ensure third parties are adhering to compliance standards.
Why This Matters Beyond Australia
While this case specifically relates to Australia’s CDR regime, the principles it establishes have far-reaching implications, particularly with New Zealand’s Customer and Product Data Act 2025 coming into force for the banking sector on 1 December 2025. The determination demonstrates three critical realities that apply across jurisdictions:
1. Contractual Protection Is Not Enough
Many organisations believe robust contracts with third-party providers shield them from liability. The RAB case proves this assumption is dangerously flawed. It’s not sufficient for a contract to simply state that the service provider must meet certain security or compliance requirements; organisations must actively ensure these obligations are being fulfilled.
2. “No News Is Good News” Is No Longer Viable
The days of assuming everything is fine because you haven’t heard otherwise are over. The determination emphasises that data holders cannot simply assume their third-party providers are managing risks appropriately. Active oversight, regular auditing, and ongoing assurance frameworks are now essential compliance requirements, not just best practices.
3. Supply Chain Complexity Increases, Not Decreases, Liability
As Ikara’s research shows, analysts predict that supply chain attacks will impact 45% of global organisations. The interconnected nature of modern IT service delivery creates complex webs of dependency where security and quality interdependencies are often opaque. Rather than diffusing responsibility, this complexity amplifies it for the primary data holder.
The Cost of Accountability Avoidance
The financial and reputational costs of failed third-party relationships extend far beyond regulatory penalties. Consider the broader business impact:
Operational Disruption: When third-party failures occur, the primary organisation bears the full cost of incident response, customer communication, and service restoration.
Regulatory Scrutiny: Breaches trigger comprehensive regulatory reviews that often expose broader governance weaknesses across the organisation.
Customer Trust Erosion: Customers fail to distinguish between direct organisational failures and third-party provider issues, holding the primary organisation accountable for all service disruptions.
Board and Executive Liability: Directors and executives face increasing personal liability for governance failures, regardless of where in the supply chain they originate.
Building Resilient Third-Party Risk Management
The shift towards absolute accountability doesn’t mean organisations should avoid third-party partnerships; it means they need to manage them more intelligently. Here’s how leading organisations are adapting:
1. Implement Continuous Monitoring, Not Point-in-Time Assessments
Traditional due diligence processes that rely on annual security questionnaires and certifications are insufficient in today’s threat environment. Organisations need real-time visibility into their third-party providers’ security posture, compliance status, and operational performance.
2. Integrate Commercial and Technical Governance
The RAB determination highlights the critical importance of aligning contractual obligations with technical controls. Organisations must ensure their commercial agreements include specific, measurable requirements for security standards, incident response procedures, and data governance practices.
3. Establish Clear Escalation and Remediation Frameworks
When third-party issues arise, organisations need predefined processes for immediate response, customer communication, and service restoration. The goal is to minimise impact while maintaining full transparency with regulators and stakeholders.
4. Invest in Supply Chain Visibility Technology
Manual oversight of complex supply chains is no longer feasible. Organisations need technological solutions that provide consolidated visibility across their entire digital ecosystem, enabling proactive risk identification and automated compliance monitoring.
The New Reality of Digital Supply Chain Governance
The RAB determination represents more than a regulatory decision; it’s a recognition of how fundamentally the digital economy has changed organisational risk profiles.
When your business depends on complex supply chains where security and quality interdependencies span multiple vendors, countries, and regulatory jurisdictions, traditional approaches to risk management become inadequate.
As boards and authorities increasingly demand adequate controls to achieve operational resilience, particularly in regulated industries, organisations must embrace their role as orchestrators of their entire digital ecosystem. This means taking active responsibility for the security, compliance, and performance of every component in their supply chain.
Moving Forward: From Risk Avoidance to Risk Orchestration
Organisations can no longer rely on contractual indemnities or the hope that third-party problems won’t become their problems. Instead, they must evolve from risk avoiders to risk orchestrators.
This transformation requires more than new processes or technologies; it demands a fundamental shift in organisational mindset. From the boardroom to the IT department, everyone must understand that in today’s interconnected business environment, your organisation’s reputation, compliance status, and operational resilience are only as strong as your weakest third-party link.
The organisations that thrive in this new environment won’t be those that avoid third-party relationships, but those that excel at managing them. They’ll have real-time visibility into their entire digital supply chain, proactive risk management processes, and the technological infrastructure to turn third-party complexity into a competitive advantage.
The question isn’t whether you can avoid accountability for third-party failures; the RAB determination proves you can’t. The question is whether you’re prepared to take control of that accountability and turn it into a strategic strength.