Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Several recent data breach incidents reported to us provide examples of how letting it go may not be as liberating as hoped. Using Software as a service (or SaaS) offerings makes sense for many organisations. Like Elsa in Frozen, you may feel like you are casting off the burden of an obligation. But as Elsa found out, there may also be impacts on others that you did not realise might occur.
But first, what is SaaS? Software as a Service means you can rent software, such as Microsoft Office 365, rather than buy a license or code the software yourself. Usually the software is hosted by whoever you are renting from and is simply accessed by users through their web browser. A website might include various SaaS components to handle specific functions without it ever being obvious to users of the website that different software providers are involved.
Hacked
Out of the 17 data breach incidents involving hacking reported to us last year, eight of those resulted from third-party systems (generally SaaS providers) being hacked.
One of the third-party service systems breached was PageUp, a platform that handles online service job applications. Several New Zealand based organisations reported to us that their job applicants might have been affected. Six months later, PageUp report that the independent forensic examination found no evidence that people’s information had been taken.
If you decide to use a third-party service to handle personal information, you remain responsible for protecting that information. This responsibility should not stop you from using third-party services. You simply need to assess the risks and make sure you deal with them appropriately.
Ticketmaster
This can be complex if your third-party provider also combines services from other providers to provide their service – as Ticketmaster in Britain found out. Ticketmaster had to deal with a large breach caused by software brought in by Ticketmaster’s service provider. Many New Zealanders who had used Ticketmaster had their credit cards replaced and some had to have fraudulent transactions reversed.
Choose the right options
You need to ensure you choose the configuration options available with the service to make it as secure as practicable. For example, in the case of PageUp, we are told that customers could set maximum periods for how long applicants’ details remain in the system. The sooner the service deletes the applications that you do not want, the fewer individuals’ personal data you are responsible for. Getting rid of information you no longer need is the common sense underlying information privacy principle 9 in the Privacy Act – agencies should not keep personal information for longer than necessary. If you no longer need it, get rid of it.
You also need to make sure that the contract you sign requires the service provider to promptly report any problems to you. You need to hear about any data breaches, promptly and in sufficient detail, so you can meet your obligations to the individuals affected. You are holding their information and, while you do so, you are responsible for keeping that information secure. This is the logic underlying principle 5 of the Privacy Act which relates to the storage and security of personal information.
Further comment on the Ticketmaster incident, with more technical advice, can be found here.
You can indeed “let it go” - but remember, you are responsible for the impacts your choices have on others.
We regularly get data breach notifications and will share the lessons learned from these. If you want to know more about how to handle data breaches, please check out our data safety toolkit.
Image credit: A US Coast Guard information systems security officer peers through a space in a server in April 2017 - via US Coast Guard blog.
Back