According to recent research by RSA, failure to protect customer data is creating long-term business problems for organizations. That was evident at a packed event in London on Feb. 5, where discussion centered around the fear of being unable to manage the fallout of a data breach involving a third party.

With 69 percent of the 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. saying they have or would “boycott a company that showed a lack of regard for protecting customer data” the concerns are real. Furthermore, 62 percent of consumers would feel inclined to blame the company above anyone else, even the hacker — and certainly not a third contractor — if they lost their personal data.

“Just because you put data in the cloud, doesn’t mean you revoke all your responsibility,” said Rashmi Knowles, Field CTO EMEA, RSA Security. “With GDPR, third-party risk becomes even more elevated. If the data handler or data processor suffers a breach, you, the data controller, can be held accountable. However, If you are going to work with third parties and you have done your due diligence, the regulators are obviously going to look on that very differently.” 

Raef Meeuwisse, author of Cybersecurity for Beginners, said however that the due diligence can in itself be the issue: “One of the top problems is misconfiguration. There is the security available, but companies don’t switch it on. I found the same with cloud providers. The other problem is that there aren’t any really reliable certifications, so organizations might have great operational and procedural documents, but they aren’t implemented.

“Quite often security is an afterthought. And no one mentions fourth-party risk; a data centre is owned by one company, operated by another, with a contract to yet another and everyone is pointing fingers at each other,” he added.

From a legal standpoint, Anthony Lee, Partner at DMH Stallard had some advice: “There are still issues with some cloud service providers. Under the current law the only two things you need to ensure is that the supplier will follow the instructions, and that they will keep the data secure. What you need are audit rights, and that they provide you with such information as you need to verify that security so that you can demonstrate that you are compliant. You need a clause in there to say that they will delete the data at the end of the contract. If you are under the current regime there is no strict obligation to report.”

Under the GDPR, breaches must be reported within 72 hours — not almost a year, like Uber. If a data breach carries a “high risk of adversely affecting individuals’ rights and freedoms” the regulation is even more strict saying a breach must be reported without “undue delay."

There only exception is for cases where a data controller judges that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons," but even in this case the breach must be thoroughly documented internally, along with the reason for not informing a DPA, something a DPA can at any time ask to see.

But Knowles says “there is a danger of overreporting, because companies will be scared of missing that 72-hour window.” 

A recent report from the U.K.’s Department for Digital, Culture, Media & Sport found that only 38 percent of businesses is even aware of the incoming GDPR legislation, nevermind ready to comply. Of those businesses aware of GDPR, just 27 percent has made changes to their operations in response. 

The GDPR contains clear rules on conditions for imposing administrative fines — data protection authorities will be able to penalize companies who do not inform their clients that their data has been breached — whether or not that takes place in-house or with an outsourced provider.

Knowles says this could lead to so-called "forum shopping" for third-party providers.

“There are already discussions about which would be the most lenient authorities, so if you are a multinational you may hedge your bets in terms of where you choose to report your breach," he said. "Although the fines are being used as a big stick, I’m not sure we will see fines being doled out in May. The other school of thought is that someone will be made an example of, and it may be that will be the persistent offenders that we read about in the press.”

Third parties are very often the weak link in data security. According to some reports, third-party failure plays a part in 63 percent of all data breaches. Regulators may well decide to focus their energy on the weakest link, particularly as third parties could be outsourcing to multiple companies across many sectors. But that will not get you off the hook, if due diligence has not been carried out. 

And as revealed by the RSA survey, even if companies avoid a fine by pointing the finger at a negligent third party, the reputational damage will still be done. Company DPOs need to ask, who can they really trust, and can they prove it?

photo credit: Eric Kilby Three Lions on a Rock via photopin (license)