The management of Talk Talk must be feeling very unluckily to be fined yet again and to be in the news for all the wrong reasons. Or is this type of data breach common place to many enterprises when leveraging third party cloud organisations and SaaS applications who process and store PII customer data.
BY RAVI PATHER, EPERI
Is this Talk Talk data breach the tip of the iceberg and is in fact affecting many many enterprises?
GDPR has identified this very risk when data controllers use third party cloud data processors for the processing and storing of customer PII and sensitive PII data. GDPR provides specific guidelines and best practice around "data security by design", "comprehensive security", the “minimisation of PII and sensitive data” and “pseudonymisation of PII and Anonymisation of sensitive PII data”.
Under GDPR had these basic data security guidelines been implemented by Talk Talk when using third party data processors this breach would not have happened. Had the PII data been Pseudonymised and sensitive PII Anonymised then it would have been meaningless and valueless data to anyone intercepting such data.
GDPR guidelines specify that as soon as a data breach is detected the data controller must notify the DPA and data subjects within 72 hours. That controllers must implement systems that detect data breaches and compromises. The scope of many of these intrusion detection systems don’t extend to third party cloud data processor systems other than compromised log-in credentials. The answer is implement GDPR guidelines for comprehensive data security when using third party data processors and look to render the PII data meaningless and unintelligible. It strongly recommends data pseudonymisation and encryption to protect PII and sensitive PII data in the first instance.
GDPR, Data Breach Notification (DBN) (Article 34) says that if the PII data is rendered unintelligible to any person who is not authorised to access it (data processors), using such techniques as data pseudonymisation and encryption and providing the data cannot be reversed to identify the data subject, usually by separating the encryption control and process away from the data processor to only authorised personnel from the data controller, then there is no need for data breach notification. These GDPR data security guidelines should be seen as a corporate risk mitigation for GDPR fines and DBN brand and reputational risk damage.
At eperi we recommend that enterprises should immediately investigate the above risks for such data breaches when using third party cloud data processors. We are seeing this data security risk as common place amongst enterprises leveraging cloud services and SaaS applications and even accepting that the data processors controls the encryption process and keys of its customers PII data at rest. Enterprises should look to immediately implement GDPR guidelines for Security and Data Protection of its customers PII and sensitive PII data when using third using party data processors.
eperi recommends enterprises to move beyond the initial GDPR discovery phases to now implement GDPR Data Security best practice guidelines when using third party data processors.
Learn more about: GDPR Compliance