What Facebook has taught us about third party risk in the context of GDPR

Jul 10, 2018

The UK Information Commission Office has announced that Facebook will be handed out the maximum fine of £500,000 for allowing the political consulting firm Cambridge Analytica to harvest the data of millions of people without their consent in the lead-up to the Brexit referendum.

The fine will be handed down under existing UK legislation which is independent of the General Data Protection Regulation (GDPR). However, the decision sets a sobering precedent that concretizes the risk of third-party data breaches.

For the last couple of months leading up to GDPR’s introduction on May 25, companies have been going to great lengths to shore up their internal data-handling procedures and the transparency surrounding this. Third-party data risk, on the other hand, is a topic that has remained relatively sidelined. Are companies doing enough to mitigate the risk of their third parties? Or, like Facebook, are they exposing themselves to the liability carried over to data controllers in the context of GDPR?

Who is responsible for third-party data breaches? 

First thing’s first - is it clear where the responsibility actually lies? According to GDPR legislation, data can be handled either by “controllers” (the party with whom a person has directly entrusted their data) or “processors” (any third party with whom the controller then entrusts the processing of the data, either directly or indirectly). Although the regulation states that processors must commit to carrying out certain measures, it also states that damages for a leak may be claimed against either the controller or the processor.

It may not be entirely clear who is responsible in the case of third party breaches however it is clearly in the interest of the controller to ensure the compliance of their partners and suppliers. And GDPR has upped the stakes here in stipulating a fine amounting to the greater of 4% of annual global turnover, or €20 million. Had Facebook received a fine after the application of GDPR, it could have been in the order of $1.4 billion according to Security Week.

What is the scale of third-party risk? 

The Facebook fine is a great illustration of the risks of third-party data breaches, however it is far from the only such case. Our supplier ecosystems have never been so broad or so complex, with US companies interacting with an average of 1,500 third parties on top of their employees. When collaboration demands constant data exchange, it is very difficult to enforce your own security standards with external suppliers. At CybelAngel, we estimate that 90% percent of the data breaches we identify for our customers are coming from third-parties. 

It therefore makes sense that securing your data within your internal network simply isn’t enough. This is especially true within the context of GDPR, but no less so when you consider the hefty cost and reputational risk that data leaks carry themselves when they are not remediated quickly enough. 

What can you do to mitigate the risk? 

Basically, GDPR calls upon companies to be able to show where data is; who has access to it; how it is being protected; and how long it will be kept. In addition, companies are expected to report breaches to the supervisory authority no later than 72 hours after having become aware of it. Your third parties had better be able to do the same, because if they commit a breach while handling the data you have gathered, then it is you who will be liable. 

In order to mitigate the risk, we suggest you do the following: 

  • Talk to your current vendors and ensure that they are able to comply with GDPR. 
  • Draw up a contract outlining their obligations, including the fact that they will not outsource the handling of your gathered data without your prior approval, and that they will delete your gathered data after a certain period of time 
  • Thoroughly vet new vendors, and require that they commit to the same contract 
  • Understand where your third parties process your data - some countries do not meet the level of security and protection as required by GDPR

Why it’s never that simple... 

If only it were that easy to completely rule out third-party risk! For one thing, some ecosystems are so complex that it is far from clear who is responsible for what. Take for example cloud storage. In order to understand who is actually handling the data you have gathered, you would have to be aware of every sub-processor throughout the entire supply chain. As you can imagine, this is an exercise that often leads to a lot of ambiguity and mutual finger pointing, but little clarity. 

What’s more, the sad reality is that leaks are simply inevitable in collaborative environments, no matter how many procedures and contractual agreements have been put in place. While these measures are of course indispensable, it is not practical to dedicate 100% of your efforts to prevention. 

After a certain point you need to accept that leaks are going to happen, and most likely a large portion of them will come from your suppliers. Indeed, according to Gartner, more than half of all leaks originate from third-parties. Once you have accepted this fact you can focus your energy on finding these inevitable leaks, and finding them before they become breaches. For example, you could consider using third party risk management platforms, or data leak detection solutions. These tools will allow you to already be on the front foot when the inevitable occurs. 

GDPR has already provided enormous incentive for companies to do some soul searching in terms of their internal data-handling processes. However, it is time for the industry to muster up the energy to carry out the same exercise concerning their third-parties. The fine handed down to Facebook is a sobering reminder of the consequences of third-party data leaks, and a powerful motivator to conduct the external cleanups that have been overdue for years.