Using a third party for IT might change your exposure, but it doesn’t eliminate it.
Consider what happens in the event of a data breach. If an organisation outsources their data storage to a third party and that third party is breached, they could be forgiven for thinking that responsibility for notifying affected individuals and dealing with any subsequent regulatory actions that may arise would rest with the breached third party.
But that’s generally not the case.
If an individual has entrusted their personal data to an organisation, it is the organisation that is responsible for looking after that data, regardless of whether or not a third party is utilised to look after it. If that data is lost or stolen, then it is the organisation that will be accountable for any notification requirements, regulatory investigations, fines or penalties that do arise, and it will be their reputation that suffers, not the third party’s.
Of course, it isn’t just breaches of data at outsourced IT providers that could leave businesses exposed. Many businesses rely on third parties for business critical operations, and should those providers experience a system failure, it could have a catastrophic effect on the company’s ability to trade, resulting in a business interruption loss and additional costs incurred to continue trading.
Claiming back these losses from a third party can also prove to be easier said than done. Most third party technology service providers tend to have standard terms of service that completely limit their liability in the event that a breach or system outage causes financial harm to one of their clients.