Organisations are realising that failure to protect customer data is creating long-term business problems. One of the biggest is the fear of being unable to manage the fallout of a data breach involving a third-party processor.
Consumer reaction to data breaches
In a recent survey 69 percent of 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. say they have or would “boycott an organisation that showed a lack of integrity for protecting customer data” the concerns are real.
Furthermore, 62 percent of consumers felt inclined to blame the company (controller) certainly not a third party processor — if they lost their personal data.
Placing your data, the cloud, doesn’t mean you wash your hands of all your responsibility. With the introduction of the GDPR, third-party risk became even more heightened. If the data handler or data processor suffers a breach, you, the data controller, would almost certainly be held accountable. However, if you are going to work with third parties and you have done your due diligence, the regulators are obviously going to look on that very differently.
The recent low-cost airline Lion Air group found 30 million records posted online including passport details, names, addresses, contact details etc. It seems that an AWS bucket container was not secured and was left open.
With the Asia region still playing catch-up with privacy laws the fines imposed and the obligations to report the breach and more importantly the data subjects are sketchy to say the least. It is not certain yet whether the Lion Group or any of the third parties involved were subject to GDPR. If it were to be the case the fine and damage of the brand could result in a large dent and could threaten its operations.
Quite often security is an afterthought. Data centre hosting can be myriad of ample complex contracts, data centre for example owned by one company, operated by another, with a contract to yet another and everyone points fingers at each other .
From a legal standpoint, there can still be issues with cloud service providers.
Most controllers concentrate on two requirements of their processors
- Processor will follow the processing instructions, and
- that they will keep the data secure.
But third party due diligence needs to go further and deeper.
A full 3rd party due diligence audit should take place, and this option should be clearly stated in data processing addendum’s / SCC’s (Standard Contract Clauses).
Under the GDPR, serious breaches must be reported within 72 hours — not almost a year, like Uber. If a data breach carries a “high risk of adversely affecting individuals’ rights and freedoms” the regulation is even more strict saying a breach must be reported without “undue delay.”
There only exception is for cases where a data controller judges that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons,” but even in this case the breach must be thoroughly documented internally, along with the reason for not informing a DPA, something a DPA can at any time ask to see.
A large percentage of data breaches reported were found not to have met the criteria of reporting, because companies possible rushed the decision process in fear of missing that 72-hour window.
There are already notions that organisations are comparing which would be the most lenient authorities, so a multinational for example may choose to report a breach to an authority with less enforcement powers.
Third parties are very often the weak link in data security. According to some reports, third-party failure plays a part in 63 percent of all data breaches.
However, the headlines about breaches always centre upon the controller and rarely mention the third-party processors that may have played a part in the breach.
Third party due diligence frameworks
The process approach
- Life cycle phase 1: Planning—Management develops plans to manage relationships with third parties.
- Life cycle phase 2: Due diligence and third-party selection—The enterprise conducts due diligence on all potential third parties before selecting and entering into contracts or relationships.
- Life cycle phase 3: Contract negotiation— Management reviews or has legal counsel review contracts before execution.
- Life cycle phase 4: Ongoing monitoring—Management periodically reviews third-party relationships.
- Life cycle phase 5: Termination and contingency planning—Management has adequate contingency plans that address steps to be taken in the event of contract default or termination.
Relentless Privacy and Compliance Services Ltd’s outsourced DPO service manages all third party contracts and due diligence.