The buck stops somewhere
The sub-contractor got the commercially sensitive information from somewhere. If the somewhere was a bundle of papers casually handed across at a meeting with no real warnings about the security to be provided for the data (or the email equivalent of that scenario) then any data loss is both the sub-contractor's and the main contractor's fault. If the main contractor gave specific and sufficient security instructions and got specific and sufficient assurances from the sub-contractor then it is the sub-contractor's fault. Even if it is the fault of some poor sod in purchasing who didn't read the Ts&Cs properly, someone didn't do his job properly.
Maybe in Australia a terse comment from the ASD is enough to get standards raised but they will still have to prove it.
Biting the hand that feeds IT
