Cybersecurity insiders have told Business Insider that non-disclosure agreements allow European firms to “make a mockery” of Europe’s data laws, letting them cover up security breaches and potentially avoid millions of dollars in fines.
Europe’s GDPR legislation, which came into force in May 2018, requires firms to disclose major data breaches to local regulators.
European regulators enforcing the law have shown some teeth, with the UK’s data watchdog fining British Airways and hotel group Marriott for data breaches this year. British Airways was told to cough up around $229 million, while Marriott was fined close to $130 million.
But two senior employees at some of the UK’s most prominent cybersecurity firms say the use of NDAs by clients means similar breaches aren’t being disclosed to the authorities.
Cybersecurity firms don’t have to disclose data breaches that affect their clients
The use of NDAs has become standard practice between those offering cybersecurity expertise and their clients, due to the sensitive nature of their work.
And security firms are not obliged to report their clients’ data breaches to the authorities.
One employee, who spoke to Business Insider on the condition of anonymity, said they were personally aware of a number of high-profile companies which had kept their security breaches a secret, but declined to name the companies.
A second person described an incident in which an unknown agent hacked into a major international law firm’s webcams, listening into weeks’ worth of private meetings in which sensitive information was discussed.
“Unfortunately, it isn’t our job to do anything about it. We just find out what’s going on and tell our client,” the person said. “Even then, after we tell them what’s happened, they don’t necessarily take all the steps they could to prevent it happening again. If there’s no tangible consequences, why would they?”
Under the GDPR, failure to notify authorities of a data breach can cost a company up to $11 million or 2% of global annual turnover, depending which is higher. In the UK, companies affected must notify the ICO within 72 hours of becoming aware of the breach.
Ahmal Johal, director of consumer rights action law firm Your Lawyers, which is representing victims of the BA breach, told Business Insider “firmer legal procedures” could force companies that have suffered breaches to be more transparent.
“If there is any uncertainty as to whether GDPR can supersede an NDA or not, it seems that the rules need to be reviewed,” he said. “We may need firmer legal procedures in place to ensure consumer data protection is not obstructed by NDAs. If this issue results in businesses concealing potentially serious data breaches, then the way these relationships are regulated should be revised.”
He added: “The key priority for businesses should be to protect the personal data of their clients. There should be transparency between businesses, cybersecurity firms and the ICO to ensure this is upheld.”
But others defended the nature of the relationship between cybersecurity companies and their clients. Jeremy Hendy, CEO at IT security firm Skurio, said: “It’s hard to envisage a situation where we would feel it appropriate or necessary to independently inform the ICO of a data breach.
“Where our analyst teams are working on behalf of a customer, our duty is to inform that customer of our findings, and it’s their responsibility to investigate and report it. Everything we do for our clients is kept confidential, as it’s really important we’re seen to act as an extension to their internal resource.”
Paul Sutton, head of research and development at cyber firm Redscan, agreed, saying it was the responsibility of the breached organisation to report it.
“NDAs are common practice between security providers and their clients, helping to establish a level of trust between parties,” he said. “If businesses believe they can’t trust their security partners, then many may choose not to seek the help they need. The result of this, ironically, is more breaches may be swept under the carpet.”
When approached by Business Insider, the ICO confirmed cybersecurity companies were under no obligation to report their clients’ data breaches, but did point us to its whistleblower guidelines.
“If a cybersecurity firm has concerns [their client] is failing to act after being made aware of a breach…we do investigate reports and intelligence from third parties that alert us but aren’t themselves victims,” a spokesman said. “If an individual or entity has concerns about data protection law being broken, we would always suggest they notify us so that we can decide how to proceed.”