AIMA Journal (Q2 2011) - Third Party Data Breaches

WHAT’S THE COST?

An average data breach incident cost UK organisations £1.9m ($3.1m) in 2010, a 13% increase on 2009 figures according to an annual report from security firm Symantec. The report states that the cost of a breach varied from £36,000 to £6.2m, and the most expensive single incident in 2010 cost £2.3m more than its 2009 equivalent.

With the average cost of a data breach rising to £1.9m, securing information clearly continues to challenge organisations at all levels, but these breaches are preventable.

Research by IT services company Dimension Data found that 1 in 10 large UK organisations have experienced a data leak, and 91% of these suffered reputational damage as a result. Dimension Data also found that 27% lost their competitive edge as a result of these leaks. Additionally, the research shows there are still major barriers to the adoption of data loss prevention policies.

With the UK Information Commissioner’s increased powers as of April 2010, combined with the scale and immediacy of the web and social media, organisations that leak customer data are more likely than ever to suffer from a tarnished reputation through public exposure. Despite this, however, many organisations take a reactive approach, assuming — or hoping — it will never happen to them.

THE NEWSWORTHY AND THE NOT SO NEWSWORTHY

It feels that not a week goes by without there having been at least one notable headline advising us of how a well-known organisation has suffered a serious data security breach. We all know that it won’t hit the front pages unless it involves a large corporation or high-profile government agency, but what about all the other not-so newsworthy data breaches that thousands of organisations encounter each year?

Over 800 data security breaches have been reported to the Information Commissioner’s Office (ICO) in just over two years. The ICO is warning that ALL organisations may face tougher sanctions if they fail to report security breaches which subsequently come to light.

David Smith, Deputy Information Commissioner, said: “In just over two months a further 100 organisations have reported data security breaches to us. We are keen to work with organisations to prevent breaches occurring in the first place and to help put things right when things do go wrong. Talking to us may of course result in regulatory action. However, organisations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”

New powers, designed to deter data breaches, came into force on 6 April 2010. The Information Commissioner’s Office (ICO) is now able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998.

WHAT IS THE MARKET TELLING US?

A McAfee and Science Applications International Corp (SAIC) survey queried 1,000 technology managers in the US, UK, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security.

One in seven organisations had not reported data breaches or losses to outside government agencies, authorities or stockholders. In addition, only three out of 10 said they report all data breaches and losses related to intellectual property, while one in 10 will only report such incidents that they are legally obliged to report, and no more. Six in 10 said they currently “pick and choose” the breaches and losses of sensitive data they decide to report, “depending on how they feel about them”.

The report said the main reasons for not disclosing data breaches are fear of media coverage, damage to the brand and shareholder value. “The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses.” Another finding of the survey was that about 25% of the organisations “had a merger or acquisition or product rollout stopped by a data breach”.

The report also says the economic recession has impacted how organisations are looking at where they store sensitive data such as intellectual property, proprietary information and trade secrets.

More than half of those studied are reassessing the risks of processing data outside of their home country due to the economic downturn, compared to only four in 10 in 2008. Countries that have “leniency in privacy and notification laws” are attractive to organisations, but nine out of 10 that store sensitive information abroad do view some countries as safer than others. China, Russia and Pakistan were considered the least safe, whilst the UK, Germany and the US were seen as the safest.

SHOULD WE SHARE OUR DATA?

While drastic measures like pulling the plug on your internet connectivity are probably somewhat extreme, the reality is that data is only of any use if it can be used and, increasingly nowadays, if it is shared.

The majority of us are familiar with the issues surrounding the sharing of data but how many of us really understand or have the appropriate controls in place to reduce or prevent an actual breach?

WHERE ARE THE BOUNDARIES?

Whilst organisations are getting better at managing their data risks, once this data has been shared with a third party it appears that we have significantly less control (if any) over it.

There is also a misplaced belief that the failsafe of a contract will seemingly absolve you of all your liabilities for its continued well being. Whilst a legal obligation may well reside with the third party, the Data Protection Act 1998 clearly states that the organisation from where the data originated is classed as the “Data Controller” and, as such, remains accountable for that data throughout its lifecycle. Thus both the responsibilities and the associated penalties — whether they are financial or reputational — still very much reside at the point of origin.

If you transfer data across multiple jurisdictions you potentially expose yourself to further risks in respect of failing to comply with the respective Legal and regulatory requirements of those countries. In many cases the Laws governing the control of the data vary considerably. In some cases this may actually prevent you from sharing/storing/processing data outside of a particular jurisdiction and/or requiring Local variations to existing policies and procedures to ensure ongoing compliance.

Organisations need to understand their data estate. In simple terms this refers to the data Lifecycle; namely, are you able to map your data from the point it enters your organisation through to its destruction?

Unfortunately, the answer for many is “No!” This may come as a surprise, but just think about it for a moment. Do you really understand what systems, applications, third parties, spreadsheets, databases, jurisdictions etc your data passes through before it is disposed of? Can you really provide the required assurances that this data is, at all times, being controlled in accordance with the policies, procedures and more importantly the respective Legal obligations which you are required to follow?

Unfortunately, in many instances it takes a data breach or a near miss before the boundaries become clear to all parties.

THE LIST OF UNKNOWNS

We have assisted many organisations with managing their data risks particularly in respect of third parties. This has highlighted some particular issues, which we refer to as the List of unknowns.

Unknown: How many third parties have access to your data?

You may be surprised to learn that many organisations do not know how many of their third parties have access to their data. Perhaps of greater concern is how many know what data their third parties are sharing with their third parties? Most tend to be able to List their third parties whether via an Approved Supplier or Preferred Supplier List or database; however, ask them if they understand what data is being shared, with whom it is subsequently being shared, for what reason and with what controls, and the response is all too often one of uncertainty.

Unknown: What is in the contract? (Or in some cases, where is the contract?)

In many cases a well written contract agreed by both parties should suffice. Both parties should have a clear understanding of their respective expectations through established service Levels, security schedules, independent review and ongoing relation- ship management.

It’s when things don’t go as planned that the contract is invariably referred to, and it usually comes as a shock to one or both parties that on closer inspection there is, for example, no “right of audit” clause, enforceable service Level agreement, or clause stipulating that the third party is required to adhere to your

Information Security policy. It’s an even bigger shock when you can’t locate the contract. These are typically contracts with smaller third parties, one-offs or third parties with whom you have an established relationship.

Nonetheless they still may have access to your data and you are still Legally responsible for its well-being.

Unknown: What data does each of your third parties have access to? And do they need access to all that data?

Many third parties require access to your data; unfortunately many organisations are Leaving the decisions as to what data they should and shouldn’t have access to far too Late in the process. After all, the third party knows best – they are the experts, aren’t they? Only allow third parties access to their data on a strictly need-to-know basis. What is of particular concern is when organisations do not know what data their third parties can access.

Unknown: What do your third parties do with your data? And more importantly, what do they NOT do with your data?

Once that data is out of your door, it’s out of your hands and in the hands of your third party. Many organisations seem to be closing their eyes and hoping for the best. Some simply rely on an Information Security Policy which the third party flashes about telling them all the wonderful controls they have in place to ensure the customer data is secure.

In reality, this is just a document and worthless if it isn’t acted on and effectively implemented. You should know exactly what your third parties do with your data; from how it’s stored, processed, protected and who it’s shared with and so on, to whether the third party is actively working to continuously improve their controls. Increasingly, organisations are actively assessing their third parties’ technical capabilities and also procedural activities in relation to Information Security.

Unknown: What has happened to your data after the relationship with your third party has ended?

Winding down a relationship with a third party can take a considerable amount of time and effort. Most organisations are relatively proficient when tidying up financials, ensuring that skills and knowledge are retained and transferred, but very Little is being done to ensure that ALL of the data is removed or disposed of securely. Imagine getting a call from a third party years after terminating a contract with them advising you that the data belonging to you they didn’t know they still had, had been compromised!

TURN YOUR UNKNOWNS TO YOUR KNOWNS AND MANAGE YOUR RISKS

Most organisations tend to think that the worst will never happen and that the controls they apply in respect of their data are sufficiently robust.

The reality, as has been well reported, is often very different. Invariably it’s easier and more cost effective to prevent a breach from happening rather than deal with the consequences.