Do You Own a Database? You’re Also Responsible for Actions Performed by Third Parties

Barnea Jaffa Lande & Co.

The Black Shadow hacking group’s attack on Cyberserve, reported a few days ago, has resulted (at this point in time) in the leaking of a database with more than 800,000 records pertaining to various individuals and the exposure of additional databases. This attack raises important questions about the relations between database owners and the third parties with whom they engage to receive various services relating to business activities that incidentally involve their data.

The reality is that, in most instances, data processing operations require the use of third parties to perform the operations themselves. Whether storage services (cloud or more localized server farms) or mailing services to customers, the use of tools such as cloud based CRM solutions or the inclusion of payment gateway on a website page, all involve data processing by a third party.

Outsourcing or the use of a third-party data processor is regulated under Israeli law. The Israeli Privacy Protection (Data Security) Regulations impose several obligations on database owners when engaging with third parties for receipt of service, if such service entails the granting of access to a database.

This law imposes numerous and very substantial obligations.

Prior to entering an engagement with a third party, the database owner must examine the data security risks involved in the engagement and ensure that these risks are duly addressed.

The engagement must be by way of a written agreement between the database owner and the third party that expressly defines the following: what information the third party may process, the permitted purposes of the use of the data within the scope of the engagement, which databases the third party is permitted to access, the type of processing or operations the third party may perform, how the data will be returned to the database owner upon the conclusion of the engagement, how and when to destroy the data in the possession of the third party, and more.

Besides the agreement at the onset of the engagement, the law imposes additional obligations on the database owner during the course of their engagements, such as performing periodic audits and supervise the rectification of detected deficiencies. Database owners must carry out constant audit and control processes if they use third-party services.

In other words, a database owner is ultimately responsible towards the data subjects. The database owner is required to address the data security risks in any engagement with third parties. The use of outsourcing in no way releases the database owner from this responsibility, including in instances of cyberattacks, such as the recent Cyberserve hack.

Consequently, when outsourcing services are purchased online using a uniform click-accept contract or when services are purchased from international corporations, the database owner will not fulfill its minimum obligations without examining the data security issues and risks.

Similar and even broader obligations also exist in the European General Data Protection Regulation (GDPR). Therefore, if you are a database owner that engages in international activities, your agreements with third parties must also regulate these data security aspects of the activity.

Even when there is some corporate affiliation between the database owner and the third party responsible for data processing operations (such as in the instance of a parent company and a subsidiary), a suitable intercompany agreement that expressly covers data security issues and risks has to be put in place.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Barnea Jaffa Lande & Co. | Attorney Advertising

Written by:

Barnea Jaffa Lande & Co.

Barnea Jaffa Lande & Co. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.