IDG Contributor Network: Third-party risk: it’s the second hop you should fear
GDPR has changed everything now that it is post-May 25, 2018. We can no longer make pro-forma proclamations about being good stewards of others’ data; we will actually be held accountable for losing or misusing data. The fine print in your typical non-disclosure agreement will not protect a company from liability associated with the loss of sensitive data. The buck (or euro) stops at the owner’s desk. What should be the best mitigation strategy for a CISO to deal with this old, but now far more expensive, security problem?
There will be a first offender from an inevitable breach that will be fined by some EU regulator. That’s an easy bet to make. Perhaps Vegas has a betting line on who it may be and how much they are fined, but I don’t think a CISO should be placing any bets. The prudent CISO should be considering a new way to protect data from third-party data losses, the second hop problem. That is, where does your data go when it leaves your hands and gets passed on to another? Are you still liable for what your partner does with your data?