There have been several high profile reports of data breaches recently, including Ticketmaster, Thomas Cook and Harvey Norman. Harvey Norman attributed their reported breach to a third party and issued the following statement detailing the provider –
We wish to alert you to a data breach that has occurred in the systems of a third-party website service provider, Typeform, which has resulted in the unauthorized access to some Harvey Norman data.
While Harvey Norman did comply with the data breach reporting requirement of the GDPR by meeting its 72-hour deadline, there are still lessons to be learned from the incident.
As a Data Controller, you are responsible for your Third-Party Processors
Typeform provides online survey and other data collection services to tens of thousands of clients. Featured on the customer page of their website are Forbes, Trello, HubSpot, Indiegogo and Freshdesk. Two weeks ago, Typeform discovered a major breach and many of its clients were impacted as a result. By extension, it is suspected that a large amount of personal data has been accessed.
The Typeform breach is a nasty one. Many of the organisations that use their services collect sensitive data through the customisable forms Typeform provides; utilising the service to gather all manner of personal information via surveys, orders and lead generation forms. One client, Ocean Protocol, reported that “the hackers accessed the data that contributors submitted to fulfil Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. Typeform has confirmed that the data was stored in an unencrypted manner which means that the data is accessible.”
Relationships and Due Diligence
The relationship requirements between a data controller and an outsourced data processor is clear and the relative size of the parties should not matter. The controller must be aware of the Technical and Organisational Measures (TOMs) that a processor has in place to protect the data they are being contracted to process. Typeform, apparently, has had unencrypted data taken from a backed-up version of its data – should this have been addressed in the TOMs?
Before establishing a contractual relationship with a third party data processor, an appropriate level of due diligence needs to be undertaken. The following are some tips on carrying out such due diligence:
- Due diligence should be complete prior to any contractual engagement with a processor;
- Consider implementing a process to confirm that the key operational controls in place at the time of initial due diligence continue to be effective – check this with some regularity;
- If you have an existing relationship with an established data processor, it is prudent to conduct ongoing due diligence with them as soon as possible and to set up systems to repeat it with some regularity.
Getting a data processor to re-confirm aspects of their TOMs serves two purposes:
- To get confirmation that they are still doing the processing according to the contract, and
- To re-establish the importance of the contractual arrangement.
The data processor is responsible for the security of the data in its possession whereas the controller is responsible for ensuring that those security measures are in place and remain effective.
Do not panic if your due diligence exercise indicates a problem, work to fix it and get confirmation of the fix. No matter how good an organisation is there is always room for learning and continuous improvement. Processors have to be honest and controllers have to be reasonable and realistic in any due diligence process. The objective is collective prevention, working together.
Work together to prevent the need to report
Getting back to the Harvey Norman / Typeform breach, there is an encryption commitment on the Typeform website so, in theory, they were addressing the issue. Reports suggest there are two critical points of breakdown here – access to data by an external party in the first place and the fact that the accessed data (or some of it) was not encrypted.
In the standards section of their security page Typeform reference compliance with PCI-DSS which, as any retailer knows, is a necessary requirement in carrying out any credit card transaction. In that document Typeform allude to seeking to comply with other standards but not one of the available 20+ international IT security standards are mentioned.
The ALL and ALWAYS controls
As a data controller, you have to test even the most convincing statements issued by processors. This is what we as risk managers refer to as the “All” and “Always” controls. If some part of the organisation is not focused on checking that processes and procedures are always followed by all the relevant people then, inevitably, controls will weaken or may fail completely.
From the perspective of the data processor, the responsibility to protect the data they process is both a legal requirement and an obvious business need. Losing the trust of clients is the worst nightmare for a data processor – your brand publicly named as the cause of the breach; broadcasted and re-broadcasted across all media; being party to multinational regulatory investigations. Dealing with the cost associated with all of that is a complete pain in the pocket, from which many organisations might simply never recover.