For example, British Airways blamed cargo handling firm Swissport for compromising or possibly sharing login information. Marriott blamed IT consultancy Accenture for not picking up the security flaws in its systems, and Ticketmaster blamed Inbenta Technologies for failing to prevent malware from installing on the chatbot it created that featured on the ticket seller’s Website payment page.
In each instance, the ICO held the companies that commissioned the services were at fault—not the contractors.
“It would be naïve of any company that outsources IT services to think that it is outsourcing either its responsibility for data protection or its liability with regards to being held accountable by a regulator.”
Mehboob Dossa, Corporate and Data Privacy Partner, McGuireWoods
In the case of BA, the ICO said the airline’s failure to use basic, readily available, and affordable security measures such as multi-factor authentication highlighted its lack of commitment to data security (among other issues). And while the ICO accepted that Accenture implemented, maintained, and/or managed certain aspects of Marriott’s IT security, the regulator ruled “the engagement of third parties cannot reduce [Marriott’s] degree of responsibility.”
Ticketmaster, meanwhile, told the ICO there was “no just basis” for holding it liable and is planning to appeal. The company insists responsibility for its breach “lies first and foremost on the shoulders of the unknown criminal actors” and “thereafter … on Inbenta’s shoulders,” adding that “Inbenta’s failures caused the incident.” The ICO saw the situation differently: In its final decision notice, the organization makes it clear it was Ticketmaster’s responsibility to vet its third-party suppliers and that such vetting should be done more regularly than once every five years (Ticketmaster only conducted security reviews on Inbenta in 2013 and 2018).
There are several key takeaways compliance officers should take note of, say experts. First, EU data protection authorities will typically hold companies that collect and store customer data—the “data controllers”—ultimately responsible for data protection. Second, third parties (data processors) that have access to that data—or are even involved in trying to make it secure—are always likely to avoid regulatory penalties (though data subjects can bring civil claims against them).
Mehboob Dossa, corporate and data privacy partner at law firm McGuireWoods, says that “it would be naïve of any company that outsources IT services to think that it is outsourcing either its responsibility for data protection or its liability with regards to being held accountable by a regulator.”
Experts also point out regulators are unlikely to examine the relationship between a company and its third-party services providers too much. Derek Taylor, lead principal security consultant at cyber-security vendor Trustwave, says that “irrespective of the use of any third parties, be it cloud providers, software developers, or others, companies are always accountable and responsible for the purpose and means of data and its processing entrusted to them as the data controller under GDPR.”
Another common factor that appears to be prevalent is companies’ over-reliance on the capabilities of third-party IT experts (combined with a lack of follow-up or review); confusion about what they were commissioning them to do; and possible misunderstandings about what the scope of their responsibilities (and liabilities) were under the GDPR.
For example, Marriott was slow to retire the legacy IT system it inherited when it acquired the Starwood hotel chain but thought Accenture would have discovered the flaws in the network and suggested remedial actions as part of its work. Meanwhile, BA referred Swissport to its Third-Party System Access Agreement, which included information on general password security but failed to assess whether the security measures (single username/password login details) were adequate.
Ticketmaster, on the other hand, put strong conditions in its supplier contract with Inbenta that would make it liable if the tech firm failed to keep the software in its chatbot free from malware. However, Ticketmaster did not conduct a formal risk assessment of the chatbot (contrary to its own secure coding guidelines) and did not check whether Inbenta needed to comply with the Payment Card Industry Data Security Standard (PCI DSS) as it had to. Inbenta did not need to be compliant because it did not store, process, or transmit cardholder data itself, while Ticketmaster wrongly used the chatbot on its payments pages—a move Inbenta says it was unaware of and would have cautioned against due to inherent security concerns.
Experts say compliance officers should focus on three key areas for improvement: making contract terms with third parties more stringent and detailed; being very clear about what the scope of their work will be; and ensuring the company itself reviews IT systems, third-party IT services, and data protection measures regularly.
“It is not enough to just put contract terms in place,” says Camilla Winlo, director of consultancy at data privacy specialist DQM GRC. “The data controller needs to have procedures that monitor compliance with the terms of the contract and to ensure that data is being properly protected.”
Possible steps include checking that third-party suppliers are adhering to proper data security standards, policies, and procedures and that suppliers (and sub-contractors) accept a suitable level of contractual liability to indemnify any losses or regulatory fines their failures cause for controllers.
However, not everyone believes it is necessarily the right approach to make data controllers solely accountable for GDPR violations. Rich Vibert, CEO and co-founder of data privacy software firm Metomic, says that “it’s too easy to use BA, Marriott, or Ticketmaster as scapegoats for their violations and let their third-party service providers off the hook,” adding that “accountability down the chain is clearly missing.”
Peter Crowther, partner at law firm Winston & Strawn, believes while engaging a third party to process data does not of itself absolve the data controller, “it might seem fair to suppose that where a third party is engaged and its data security measures are subsequently found to be insufficient, the third party ought to be fined and not the ‘innocent’ client.”