Cybercrime is so prominent in the digital age that companies are obligated to implement solutions that effectively prevent, or reduce the risk, of a data breach. Due to a lack of in-house expertise, most businesses turn to cybersecurity specialists for help.
Cybersecurity as a Service (CSaaS) is readily available through either dedicated cybersecurity firms or outsourced IT Support Services that specialise in IT Security.
Whilst CSaaS significantly reduces the risk of suffering a data breach, a successful attack cannot be ruled out. The technologies and techniques of hackers evolve and they are naturally ahead of the cybersecurity curve.
However, in the event of a data breach, who is held accountable? Can companies deflect responsibility onto their CSaaS service provider or is a company independently accountable for its own security?
Data Breach Accountability
Determining who is accountable for a data breach isn’t always easy. The decision will be left with the Information Commissioner’s Office to decide in accordance with General Directive Protection Regulations (GDPR). However, their guidelines are as clear as mud.
GDPR guidelines stipulate that enterprises are responsible for adhering to “accountability principles” in two ways; companies storing and managing sensitive data must install appropriate technology measures that help prevent cybercrime together with operational strategies that fall in line with GDPR compliance.
Companies are also obliged to appoint a data controller who is responsible for protecting the integrity and confidentiality of data stored on a business network.
The role of the data controller primarily involves crafting cybersecurity protocols, ensuring your workforce is given cybersecurity awareness training and ensuring operational procedures are followed.
Subsequently, the data controller is responsible for the actions of the “data processor” – or in other words, anybody that could open a gateway for hackers or otherwise breach privacy laws designed to protect sensitive data.
Beyond the data controller, the burden of responsibility falls on the Chief Information Security Officers (CISOs) or the CEO. Accountability would depend on where the fault occurred.
If the data breach was enabled by a failure to detect or respond to suspicious activity within the companies security operations team, accountability lies with the CISO.
The CISO would also be held accountable if they have not installed appropriate cybersecurity defences or if the technologies in place are out of date. Failing to update security patches, for example, would be the responsibility of the CISO.
CEO’s are responsible for data breaches when they fail to allocate an appropriate amount of your budget to fund data security. Gartner predicts that CEOs will be held personally accountable by 2024 – and that as many as 75% of CEOs could be held liable for a data breach.
Pinpointing Responsibility for Security
When an IT support company acts as a CSaaS, there is some confusion over which role each company takes and where the accountability lies. GDPR legislation is not clear.
The general guidelines are that data controllers determine the manner in which data is processed. This involves deciding which data is processed, how and why.
A data processor is responsible for ‘technical’ aspects of an operation, such as data storage, retrieval or erasure. But the distinction between the role of a data controller and a data processor is so fine there is some crossover.
The ICOs explanation reads:
“The data controller must exercise overall control over the purpose for which, and the manner in which, personal data are processed. However, in reality, a data processor can itself exercise some control over the manner of processing – e.g. over the technical aspects of how a particular service is delivered.
The fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation.”
Taking this explanation at face value, it’s anybody’s guess where accountability lies. Both an IT support company and their client is at the whim of an ICO decision. It could turn out that both companies are penalised.
It must be understood by both parties from the outset that installing and executing cybersecurity protocols is a joint exercise. The best practice is to determine roles and responsibilities and assign accountability when an agreement is signed. Don’t rely on the ICO interpretation to determine where accountability will, or should lie. The official explanation is nonsense.
When is your IT Support Team Accountable for a Data Breach?
When implementing an IT security strategy, the role of managed IT service team is to provide appropriate technologies and comply with a Service Level Agreement (SLA) that includes implementing cybersecurity best practice measures, providing access to skilled professionals that are responsible for monitoring networks identifying suspicious activity and preventing attacks.
Unless the IT support team fails to deliver the promises stated in the SLA, accountability lies with the company. The exception to this rule may be if the ICO deeds the quality of service provided by a CSaaS was substandard and the technologies they use are inadequate.
This should never be the case, particularly if you team up with a reputable IT support team. It’s not unheard of for clients to ignore proven strategies – in which case the data breach firmly lies on your doorstep.
At Micro Pro, we take every step to ensure that cybersecurity best practice is followed. We keep an audit trail of the recommendations we provide and send reminders to ensure you remain fully protected.
Our high levels of IT security includes providing a remote cybersecurity monitoring service, cybersecurity awareness training, cloud configuration and patch management. The third-party software you use presents hackers with a gateway if you do not stay on top of updates.
Data breaches can be costly. It is reported that UK companies spend an average of £2.9 million recovering from a data breach. In addition to seeking professional advice from IT specialists, we also recommend investing in professional liability insurance to help pay for investigating and remedying a security breach.
Cyber liability insurance covers the cost of notifying affected parties, paying any extortion demands, legal fees and GDPR penalties. If you need any more advice and assistance to ensure your cybersecurity defences are in place, contact Micro Pro today and speak with one of our IT Security experts.