In July 2017, the Swedish Government disclosed that it had leaked the details of nearly all of its citizens after information from the country’s driving licence database was made available.
The huge breach took place during an outsourcing project with IBM Sweden, when information was made readily accessible to IT contractors from other countries who had not been security checked. Rightly, criticism has been severe, forcing the Government into replacing two of its ministers to try and limit the drop in citizen confidence.
>See also: US suffers largest ever voter data leak
When governments suffer data breaches, it combines the traditional public relations fallout with political scandal. Citizens are left question their government’s ability to truly protect them if they cannot keep data secure.
While enterprises which suffer breaches will not necessarily receive the same level of backlash, there are definitely lessons to be learned from how the Swedish leak panned out.
Firstly, the timing of the disclosure. The agreement between the Government and IBM commenced in 2015 suggesting that the leak started around two years before the announcement.
The gap raises two questions; if the Government knew about the breach, why did it wait so long before saying something or, more worryingly, if the highest echelons were not informed, why not? The Yahoo data beach is a good example of how delayed disclosure can impact business value.
In December 2016, it disclosed that it had suffered a data breach that had impacted 1 billion users back in 2013. The poor management of the leak and the negative press led to Verizon, which was in talks to buy Yahoo at the time, paying nearly £270 million less than the original purchase price when it eventually completed the takeover in June 2017.
In a PR crisis, in order to begin to restore confidence of stakeholders, it’s vital that firms share accurate information early. When a business suffers a data breach, affected customers shouldn’t have to find out from news articles or social media that their information may have been compromised; they deserve to be informed directly.
To make matters worse, the scale of breaches are often exaggerated to make them more newsworthy, but, when firms don’t communicate what they know about the breach as soon as possible, such articles seem more credible. Tackling the issue head-on reassures customers that the issue is being dealt with, helping to mitigate reputation damage.
Secondly, the Swedish incident challenges the widely accepted assumption that third party cloud providers are truly secure. When organisations outsource IT functions to expert companies, they expect to that the outsourcers will have better infrastructure and cybersecurity features. The outsourcers have economies of scale as well as the market incentive of ensuring that data remains secure – they lose business if it doesn’t.
>See also: Yahoo data leak: the biggest on record
Yet, what appears to be lost on some is that when they outsource or put data in the cloud, the organisation, in this case the Swedish Transportation ministry, remains the data controller, meaning the accountability for security and privacy remains with them.
If the outsourcer suffers a breach, the data controller will still be held accountable regardless of whether they had any direct control over cybersecurity. The EU’s GDPR shared responsibility approach will enforce this further.
Thirdly, the leak highlights the importance of scrutinising contracts. When outsourcing is the most practical option, businesses tend to transfer some of the risk onto third parties through contracts, setting specific clauses that ensure data is being stored, processed, and used in ways relative to its sensitivity.
These clauses usually involve requirements around data access controls as well as the ‘right to audit’, however, some of these vital clauses were apparently left out of the contract with IBM in order to speed up the process. This corner cutting resulted in the sensitive information being readily available to non-vetted IT workers outside of Sweden.
As such, when entering into partnerships that involve sensitive or confidential data, organisations must scrutinise contracts and not trade measures for faster completion. Companies can no longer plead ignorance to their third party’s actions so they must ensure that all bases are covered from the offset.
Ultimately, politics mixed with data breaches is a toxic recipe. Citizens feel let down and they display that displeasure with votes. When it comes to the enterprise, if consumers believe that a company cannot protect their data, they vote with their wallet.
All businesses will suffer data breaches of varying significance, but it’s how that they respond to them which can really cause the lasting damage. Moreover, as cloud ecosystems continue to expand, the chances of data becoming compromised only increases.
>See also: Bupa insider data breach affects 500,000
Companies must consider whether cloud third parties are really the best option for their data or whether the decision is simply being driven by the bottom line.
If cloud service providers are the way to go, contracts that state responsibility and accountability must be watertight. Customers won’t care if data loss is due to a third party, and neither will the Information Commissioner’s Office.
Sourced from French Caldwell chief evangelist at GRC apps company MetricStream