Company vs. Service Provider: Data Breach Responsibility
I have come across several articles over the past month or so that have talked about risk mitigation. This isn’t uncommon, but there was a recurring theme that I had to address. There has been confusion recently as to who holds more responsibility, the service provider or the company who created the data? The company will always have some level of responsibility, however it is the service provider’s duty to provide services that mitigate risk, and provide protection in the event of a data breach. It is the responsibility of the company to contract with a certified service provider that can evaluate the current process and help them put the proper procedures in place to mitigate the risk for a data breach. I will highlight some best practices on both ends, and hopefully clear the air.
The data may be managed, stored, secured, and destroyed by their vendor, but the company created and owns the data. It is their responsibility to protect that data. The best thing a company can do is pick a reputable service provider with the proper certifications. The company must follow the service provider’s process accordingly. If the service provider has a particular process for your data security, whether it be at its creation or end of life, its best to stick to that process as stringently as possible. More than likely this process was created with a set of standards or compliance in mind and was designed specifically for security. Contractually, a company’s indemnification may rely on whether or not they followed the process correctly.
Service Providers Responsibility
The service provider should assume most of the responsibility in the relationship. They are the professionals who provide security services for a living; all the necessary steps should be in place to protect themselves and their customers. Keep this in mind when looking at service providers, make certain that they have the necessary certifications to assume that responsibility. A well prepared service agreement should be the beginning of it all, followed by a contract that is updated regularly/accordingly. These two items will ensure that the relationship is well established and that it is clear what is being provided by both parties.
It is also the service provider’s responsibility to perpetually maintain their processes. If the company is diligent, their data destruction provider will have the proper certifications (ISO 27001, ISO 14001, etc.) and will have their systems managed continually, as well as participate in yearly audits.
Lastly, an item that is often overlooked is insurance. Having a provider that has proper insurance coverage provides financial benefits to both the provider and the company. These policies are also a great stopgap to cover anything that may have been overseen in the contract and service agreement stage.
While both sides have a responsibility to themselves and to each other, it is the service provider that should be continuously identifying and mitigating the risks of the company specific to data security. At TechR2, we take it upon ourselves to provide current and prospective clients with the best possible service. We spend a lot of time and money to ensure that our processes are seamless and compliant, and that we also have the proper certifications and insurance in the event of a catastrophe.
Would you like to put your process to the test?
Click below to sign up for a NO cost evaluation of your current process.