When governments suffer data leaks, the traditional fallout of breaches are combined with political scandal – the impact is multiplied and scrutiny magnified. Questions are asked around why information was withheld or, if announced soon after discovery, why it took so long to uncover.
Just as a business suffers reputation damage after a breach, the Swedish Government faces a real struggle to regain citizens’ confidence. So far two government ministers have been sacked, and the investigation into the handling of sensitive government data on its citizens and national security is expanding. If at all possible, rebuilding trust will involve the removal of some high-profile ministers, and Anders Ygeman, the country’s home affairs minister, and Anna Johansson, the infrastructure minister, were the first to hand in their resignations.
This and other recent third party breaches challenge the assumption that data is safer with service providers. Organizations often outsource IT functions as expert companies are seen to have better infrastructure and cybersecurity features. They have economies of scale as well as the economic incentive of ensuring that data remains secure – they lose business if it doesn’t. Yet, what appears to be lost on some organizations is that when you outsource or put data in the cloud, you remain the data controller – the accountability for security and privacy remains with you.
When outsourcing is the most viable option, governments tend to transfer some of the risk onto third parties through contracts, setting specific clauses that ensure data is being held and used in ways relative to its sensitivity. These usually involve requirements around data access as well as the ‘right to audit’, however, some of these vital clauses were left out of the contract with IBM in order to speed up the process. This corner cutting resulted in the sensitive information being readily available to non-vetted IT workers outside of Sweden – and this was not just PII, but also highly sensitive national security information. As such, when entering into partnerships that involve sensitive or confidential data, organizations must scrutinize contracts. Companies can no longer plead ignorance to their third party’s actions – GDPR’s shared responsibility approach will enforce this further – so they must ensure that all bases are covered from the offset.
Furthermore, in addition to the exposure of data to IBM contractors outside of Sweden, the Swedish Transport Agency was very careless in how it shared information on Swedish citizens with marketers who subscribe to its databases. These breaches were not due to some sophisticated hacking attack or social engineering scam. It is just hard to believe that these types of massive breaches continue to happen due to negligence and carelessness, but they do.