Businesses are hiding data breaches behind cybersecurity NDAs

Big companies may have found a loophole in avoiding reporting data breaches and facing fines through NDAs.
10 December 2019

Marriott came clean on its data breach. Source: Shutterstock

European firms are covering data breaches and possibly avoiding multi-dollar fines under the guise of non-disclosure agreements (NDAs), according to cybersecurity firms speaking to Business Insider

Europe’s GDPR (General Data Protection Regulation) legislation came into effect in May 2018 and has since then already led to landmark fines, such as that of British Airways— close to US$230 million— while Marriott was handed a US$123 million fine. 

Faced by fallout to their value and reputation— and, of course, fines like those above— once a breach goes public, not all firms are coming forward to disclose breaches that have occurred, despite the requirement that organizations must report personal data breaches to respective supervisory authorities within 72 hours upon discovery. 

Two employees from leading cybersecurity firms said that NDAs they operated with allowed some unnamed clients to “make a mockery” of European data regulations.

NDAs keep cybersecurity firms and companies using their services and consultation confidential, particularly given the sensitive nature of the information at risk. Moreover, it is not a requirement for cybersecurity firms to report any incidents of data breaches on behalf of their clients.

This has led to several allegedly high-profile companies exploiting the use of NDAs in attempts to sweep security breaches under the rug, according to sources. 

One case includes unidentified agents successfully hacking into an international law firm’s webcams and accessing weeks’ worth of private conversations containing sensitive information.

According to GDPR, failure to report a breach to authorities can cost a company a significant fine up to US$11 million or 2 percent of the company’s global turnover depending on which is a higher sum. 

Whose responsibility? 

In light of these cases, NDAs may be regarded by companies as a loophole or pass to avoid disclosing security breaches. However, there are authorities that disapprove of this practice and are calling for stronger reinforcement to evaluate the collaboration between cybersecurity firms and their clients. 

Aman Johal, Director of consumer rights action law firm Your Lawyers, told Business Insider, “If there is any uncertainty as to whether GDPR can supersede an NDA or not, it seems that the rules need to be reviewed. […] the key priority for businesses should be to protect the personal data of their clients.

“There should be transparency between businesses, cybersecurity firms and the ICO (Information Commissioner’s Office) to ensure this is upheld.” 

Even so, the nature of the collaboration which deals with sensitive data requires some form of agreement to establish a level of trust. In this sense, stakeholders from IT security firms explained the responsibility of cybersecurity companies is to present findings of customers’ systems and reports on any data breach or security violation remain at large at the hands of the clients. 

Moreover, cybersecurity firms are drawing a clear line between their roles and responsibilities as an extension to the client’s internal resource.

Cybersecurity experts further pointed out the importance of NDAs to establish the initial layer of trust and as building blocks to a long-term collaboration. The role of NDAs through protecting the nature of collaboration should not inhibit client companies to be transparent of any data breaches. 

In this sense, the ICO confirmed that cybersecurity firms do not bear the responsibility to report their client’s data breaches, but for companies that share concerns of their clients failing to comply with the necessary guidelines after a data breach, authorities may get involved through investigation.