Regional Australia Bank (RAB) is responsible for the breach of 197 customers’ data even though the error was caused by its outsourcer Biza, the Australian Privacy Commissioner has ruled in blaming RAB for a software bug the bank knew nothing about and “was not in a position to” fix.

The new determination completes an investigation into a February 2023 error that occurred during the transfer of RAB customer data through Biza.io, whose managed service facilitates over five million data requests monthly as part of the nationwide consumer data right (CDR) scheme.

The error arose while RAB – the first non-major bank to go live with CDR – was working with Biza to integrate Biza’s software adaptor with its core banking system to enable the transfer of CDR data according to the government’s strict privacy and security requirements.

A bug in a pre-production version of the system was identified and promptly patched by Biza; however, the company’s software team failed to recognise that RAB’s pre-production environment needed updating, which enabled the bug to persist even after the system went live.

“Consumer data was co-mingled within the RAB tenancy, leading to inaccurate CDR data,” Biza.io founder and CEO Stuart Low explained to Information Age.

“The nature of the issue,” he explained, “is that the bug remained dormant and only surfaced once there was sufficient CDR demand to trigger the bug in the caching logic used by the connection software.

“Therefore, there was no way to identify it through standard pre-deployment testing.”

In June 2023, ACCC was notified through its CDR Service Management Portal that a RAB customer using Biza’s CDR service had received bank transaction data that belonged to another RAB customer – sparking an investigation that revealed up to 197 customers were affected.

“It appears that neither party was aware that [RAB’s] environment also required patching,” Privacy Commissioner Carly Kind said, “and that it was likely that the incident would have gone unnoticed… had it not been raised via the Portal.”

Your outsourcer’s mistakes are yours too

The ruling has significant implications for companies, such as RAB, that use contractual terms to protect themselves from liability for any errors by the agents they contract with.

RAB – which has around 80,000 customers and is in the midst of a merger – adopted CDR enthusiastically, with chief digital officer Rob Hale previously saying that participating in the scheme “means we can streamline processes, saving customers time and effort.”

Its first use case – allowing customers to upload bank statements to have their spending automatically analysed – would leverage CDR, Hale said, to “automate that whole process, which creates more time to have a human conversation about someone’s financial needs.”

The incident was a hiccup in RAB’s CDR adoption and “was addressed swiftly,” Low said, noting that Biza subsequently “took steps to enhance our existing control framework from ISO27001 to SOC2.”

The data of 197 Regional Australia Bank customers was mixed up. Photo: Shutterstock

Although RAB “took reasonable steps to comply with… privacy safeguards, Biza did not,” Kind found while nonetheless pointing the finger at RAB – which, she noted, “had sought via contractual provisions to shift liability for non-compliance with the CDR framework to Biza.”

“When you outsource obligations under the CDR framework,” she continued, “you have oversight responsibilities for those contractors and need to make sure that they are doing the right thing and that individuals’ privacy is protected.”

It’s an extension of broader supply chain conceits more frequently discussed in the context of cybersecurity, with security specialists exhorting companies to ensure that third parties they engage are both demonstrably secure, and regularly testing that security.

The RAB decision confirms that such care also needs to be applied to operational systems, with Kind citing laws that assign responsibility for agents’ behaviour to the companies that engage them.

“RAB was liable for any failings by Biza,” she said, “even if it had no knowledge or awareness of them and was not in a position to take steps to prevent or address them.”

In CDR we trust

The decision is a benchmark for delegating onus within the CDR ecosystem, with Kind arguing that it “clarifies the OAIC’s position where outsourcing is involved” even as she admitted that “those findings may cause some discomfort for regulated entities, as they have for [RAB].”

Biza previously warned about the complexities of CDR risk, writing in a 2022 submission that “use of intermediaries may significantly increase the risk of profile of actions…. recent privacy act proposals serve to highlight increased exposure of holders to such risks outside their control.”

It comes amidst an ongoing government effort to bolster confidence in, and takeup, of the CDR scheme – which was originally introduced in 2020 but has struggled to gain traction with consumers despite being tweaked, revised, and ‘reset’ to address privacy and other concerns.

Biza – like Yodlee, Payble and numerous other firms – securely facilitate the transfer of CDR data in a process that has enabled services such as banking and energy product comparisons, COVID contact tracing, shopping optimisation, and analysis of customer spending.

With consumers’ confidence critical to CDR’s success, banks have previously been fined for oversights like missing compliance deadlines – but by confirming that banks can be punished for outsourcers’ mistakes, the Privacy Commissioner has further raised the bar.

“I hope that this determination will clarify the position for outsourcing and outsourced entities and inform decisions about the governance arrangements pertaining to outsourcing going forward," Kind wrote.