The discussion of data breach liability is complex. In the Wired article “The Crooked Path to Determining Liability in Data Breach Cases “ highlights the complexity of this issue. Hackers target the weakest link along the chain of entities that protect customer data. Because the harm from data breaches falls to each party not just the party that failed to implement reasonable security standards business do not fully realize the total costs of breach, and, therefore, they may under protect customer data.
Even if you have implemented highly effective data security for your organization and are confident that the risks of data breaches on your systems are low, you may face consequences for data breaches on the systems of your suppliers.
Many of your service providers must have access to some of your sensitive data to carry out their work. When their systems are not secure and your data is exposed in their data breaches, you may be liable. You may have to take expensive corrective action and may be subject to sanctions by governments and regulatory agencies. When you give third parties access to your sensitive data, you are responsible for making sure they keep your data safe.
Third party professional Services
All businesses use third party providers for some of their business processing needs. There are business processes that you can do with your staff, and their other types for which you might use specialized companies. When you use these outside professional service providers, you have to give them access to the data they need but you remain responsible for the security of the data. When a provider suffers a data breach, there may be consequences for your firm, depending on the type of data involved. In many cases, you can’t shift the Liability for a Data Breach through contractual terms. In most cases, these providers consider an extension to your internal staff irrespective of your contractual terms with them.
For example, you may need the services of an expert to evaluate client or third party claims. You have to give the expert access to the information needed to do the work and that information may be confidential. A security breach at the expert’s business may result in material damages to the client and damage to your firm’s reputation. You may incur additional costs when you have to mitigate the results of the data breach.
Another example is payroll processing. Many businesses use specialized payroll processors to handle their payrolls and these service providers have access to a variety of personal employee information. In this case you are dealing with personally identifiable information (PII) that is protected by law and by regulations. When a third party payroll processor leaks PII, you may face sanctions, fines and legal action by government agencies. If employees suffer damages because the information was used for identity fraud, there may be other liabilities as well.
While such third party data processing service providers have an obligation to keep your data safe, this does not relieve your firm of your data security responsibilities. You have to make sure your data is stored, processed and transmitted securely, even when in the hands of others.
Cloud Providers
Storing data in the cloud facilitates collaboration among team members, improves communication and results in expanded access to files. These factors give a competitive advantage to firms that implement a transition to the cloud effectively. But data stored in the cloud may not be secure. Your firm is responsible for cloud data security and for making sure that the cloud services providers have effective data security measures in place.
Undertaking an evaluation of cloud provider security is not easy. Cloud data is encrypted in transit from your system to the cloud servers but it is often not encrypted when stored in the cloud. This means that cloud service provider employees and hackers targeting the service provider can see your sensitive data and pass it on to other interested parties.
The cloud service provider may encrypt your data in the cloud but even then, it may not be secure and there are operational disadvantages. To search or process the encrypted data you first have to decrypt the data using the key hold by the cloud service provider.
In any case, cloud encryption still means that your service provider has the encryption keys and can access the data any time. Such access becomes an issue when the provider is subject to legal constraints and may have to give the keys to government agencies when served with a legal request.
The lack of certainty with regard to secure cloud data storage is especially critical for law firms because insecure storage of client information may lead to loss of legal privilege. Law firms may be tempted to keep such information on their own systems, losing out on the advantages of the cloud.
Auditing your Cloud Provider
Keeping your sensitive data safe by increasing your audits of suppliers is challenging and expensive. You have to develop policies and procedures to qualify providers before you can give them a contract. As long as they have access to sensitive data, you have to regularly audit their operations to make sure they are maintaining effective security measures. When contractual requirements or regulations change, you have to evaluate them all again. Even then, while you can reduce the risk of a third party data breach, mistakes by employees, oversights in security implementation and equipment faults ensure that the risks always remain substantial.
Instead, you can increase cybersecurity through a targeted implementation of data-centric protection. This means masking some of the data to remove identifying characteristics. Information in which key parts of the data have been masked, is no longer sensitive and not personally identifiable. A security breach does not leak confidential data. No matter where your data goes or where it is stored, you retain control and it remains secure.
For example, you can take a list of names and credit card numbers and mask the numbers by replacing the digits with other digits. The list is now useless, and if it leaks during a security failure, it does not constitute a data breach. In a file, you can mask all the names and identifying information to make the information incomprehensible. For payroll data, you can mask the names, social insurance numbers and other PII to secure the data.
You can authorize anyone to read the masked information and the characters are changed back. You retain control of the security of your data even when service providers suffer security failures. Your risk and the associated liability are limited because your service providers no longer automatically have access to sensitive information. With data-centric masking, you can keep control of confidential information.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
