Suppliers' protection of data in transit as important as security of data at rest, says expert

Out-Law News | 18 Mar 2014 | 3:29 pm | 3 min. read

Businesses must check how prospective suppliers will protect information as it flows between those suppliers' servers and their own IT systems, an expert has said.

IT contracts specialist Iain Monaghan of Pinsent Masons, the law firm behind Out-Law.com, said that, in a cloud computing environment in particular, suppliers are often keen to promote the security that they offer for data stored. However, he said that data in transit is as susceptible to hackers as data at rest and that businesses must carry out proper due diligence of suppliers to understand how those providers will address security issues across the entire communications process.

"Businesses must look beyond suppliers’ claims about the security of their data centres," Monaghan said. "They must also ensure that suppliers are able to give appropriate protection to information as it makes its journey between supplier servers and systems used by businesses and their customers. If it is not protected, the data is vulnerable to being compromised and can expose IT buyers to regulatory investigations as well as other risks, such as to their reputation."

Monaghan said that businesses may sometimes be able to agree information security schedules with suppliers that will allow them to ensure personal data and other confidential business information is kept secure both when the data is at rest and in transit. He said, though, that in other circumstances IT buyers may have to rely on the contract terms suppliers use for dealing with information security issues.

"Whilst many UK suppliers will specifically reference their commitment to complying with the UK's Data Protection Act (DPA) for the processing and storage of personal data, suppliers based elsewhere may not," Monaghan said. "Businesses should assess that the way those suppliers will protect personal data is compliant with the DPA."

The expert said that having suitable contractual provisions in place with suppliers was not enough for businesses to absolve themselves of liability for data breach incidents should they occur. He said businesses should have mechanisms for monitoring suppliers' data security practices and that particular attention should be paid to how old and new suppliers address data security matters when services are being migrated between the companies.

Monaghan was commenting after telecoms giant BT confirmed that the UK's data protection watchdog, the Information Commissioner's Office (ICO), is "conducting an unverified assessment" into alleged security failings by a supplier tasked with managing the migration of customer email addresses from a previous suppliers' systems.

A whistleblower at Critical Path, a US-based supplier contracted to provide email services to BT and since acquired by Openwave Messaging, raised concern with the ICO over the security of BT customers' email account details when the supplier was moving the data from systems operated by BT's old supplier Yahoo! to its own IT infrastructure, according to a report by the Register website.

"BT has been made aware by the ICO that they are conducting an unverified assessment in relation to BT Mail security, a service which is provided by Openwave (formerly Critical Path)," a spokesperson for BT said in a statement. "BT takes the security of all products very seriously and, in the process of developing new services with partners, we rigorously audit and test for security, and fix any identified issues before going into live service. We believe this unverified assessment of BT Mail relates to an issue identified and fixed as part of our normal testing and development process."

Openwave Messaging said it "takes operational security very seriously" and would "fully cooperate with any ICO assessment to ensure that consumers are reassured that their data is safe". It said its own investigations had not uncovered "any evidence of data breach".

"We believe any issues that have been raised with the ICO are likely to be ones that have already been identified and corrected during the normal course of our comprehensive security tests that we carry out before launch," the company said, according to the Register's report.

The ICO said that the whistleblower's evidence had indicated that "BT customer email accounts were being compromised by spammers/scammers on a daily basis and that BT was aware of this", according to the Register's report. The watchdog therefore said it was "unlikely that BT has complied with the requirements of the DPA", although it has asked BT for further information.

Data protection law expert Kathryn Wynn of Pinsent Masons said that, in an outsourcing environment, businesses must put in place "solid contracts" that cover suppliers' data protection obligations but also monitor compliance with those terms.

"Where businesses are seeking to move from one supplier to another it is imperative that they have an exit plan to ensure old suppliers remain incentivised to comply with their obligations even where relationships may have turned sour, but also to ensure new suppliers' information security measures are up-to-date and appropriate during times when teething problems with the implementation of new systems by new people may arise," she said.