Third Party Data Breaches, and GDPR’s Reach into the U.S.
How can you prevent third party breaches, since your data is already outside?
Keeping your data safe is a difficult task, but how do you keep your data safe with third parties who are beyond your firewall but still have access to your data? A 2016 U.S. healthcare report states that approximately 35% of breached records were caused by third party breaches, where each third party breach affected 27% more patients per incident than in-house breaches. The third party may act as a conduit such as a malware infection, or may expose your shared information on its own from its own system, like an AWS S3 misconfiguration that allows unpassworded access to unencrypted data. Here are a few third party breaches:
The answer is that the third party must prove that it is safe. One way is that they must have themselves professionally cyber tested to demonstrate their capabilities (or lack of dysfunction) to prove that they’ve performed their due diligence security-wise, which is now mandated by GDPR. The other route is for you to headline how the cyber testing is performed, by either doing it yourself or defining the authoritative party who will independently validate and verify the acceptability of the security.
This concept extends to non-European access to European data under GDPR’s reach, where the non-European entity, even if it is the same company, can be viewed as a third party. This is because the systems are often outside the reach of the initial company and must therefore be viewed potentially flawed. Non-European countries, likewise, may be unfamiliar with the severity of GDPR, with 3 months to go until offenses may result in million-euro fines and bans from doing business in Europe. As such, the need for cyber security testing is critical, by a verified outsourcing expert.
This leads to one obvious conclusion for third party seeking to do business: be proactive seek out assurance on your own, so that you can demonstrate your merit to potential B2B customers without any embarrassing revelations later on. Much of IT is devoted to a shift-left mindset, and it adds to a third party’s believability to have done their homework ahead of time. Third party data access has gotten a bad reputation regarding breaches.
GDPR is not the only source of data protection rules. Many other locations and industries have hurdles they must clear to maintain compliance regarding safety and control, and many are being re-written to acknowledge digital innovation. Sarbanes-Oxley maintains data trails, making malicious insider behavior much easier to track. PCI-DSS needs to limit access to PII wherever in can to minimize exposure, quite a challenge considering the amount of devices that can be involved in digital POS solutions.
It is not enough to limit heavy guard to the PII-intensive industries of BFSI and healthcare. Malware, cyberterrorism and hacktivism has less restraints about the industries of their end-victims, especially if it allows third party access to BFSI and healthcare PII preferred by the dark web and other places. In fact, an industry expected to be less protected may therefore be an easier target, such as utilities or education.
When it comes to data security, we all have our individual business process concerns, and we are all as strong as our weakest link. Once the threat is inside, it is harder to stop. That is why ensuring third party cyber strength is so vitally important.