The Black Shadow hacking group’s attack on Cyberserve, reported a few days ago, has resulted (at this point in time) in the leaking of a database with more than 800,000 records pertaining to various individuals and the exposure of additional databases. This attack raises important questions about the relations between database owners and the third parties with whom they engage to receive various services relating to business activities that incidentally involve their data.
The reality is that, in most instances, data processing operations require the use of third parties to perform the operations themselves. Whether storage services (cloud or more localized server farms) or mailing services to customers, the use of tools such as cloud based CRM solutions or the inclusion of payment gateway on a website page, all involve data processing by a third party.
Outsourcing or the use of a third-party data processor is regulated under Israeli law. The Israeli Privacy Protection (Data Security) Regulations impose several obligations on database owners when engaging with third parties for receipt of service, if such service entails the granting of access to a database.
This law imposes numerous and very substantial obligations.
Prior to entering an engagement with a third party, the database owner must examine the data security risks involved in the engagement and ensure that these risks are duly addressed.
The engagement must be by way of a written agreement between the database owner and the third party that expressly defines the following: what information the third party may process, the permitted purposes of the use of the data within the scope of the engagement, which databases the third party is permitted to access, the type of processing or operations the third party may perform, how the data will be returned to the database owner upon the conclusion of the engagement, how and when to destroy the data in the possession of the third party, and more.
Besides the agreement at the onset of the engagement, the law imposes additional obligations on the database owner during the course of their engagements, such as performing periodic audits and supervise the rectification of detected deficiencies. Database owners must carry out constant audit and control processes if they use third-party services.
In other words, a database owner is ultimately responsible towards the data subjects. The database owner is required to address the data security risks in any engagement with third parties. The use of outsourcing in no way releases the database owner from this responsibility, including in instances of cyberattacks, such as the recent Cyberserve hack.
Consequently, when outsourcing services are purchased online using a uniform click-accept contract or when services are purchased from international corporations, the database owner will not fulfill its minimum obligations without examining the data security issues and risks.
Similar and even broader obligations also exist in the European General Data Protection Regulation (GDPR). Therefore, if you are a database owner that engages in international activities, your agreements with third parties must also regulate these data security aspects of the activity.
Even when there is some corporate affiliation between the database owner and the third party responsible for data processing operations (such as in the instance of a parent company and a subsidiary), a suitable intercompany agreement that expressly covers data security issues and risks has to be put in place.