Unless you read the news really carefully you might not know how often data breaches involve a vendor. The headline is "Famous Big Company Breached" but the reality is that one of their smaller, less-famous vendors actually lost data the larger company took from consumers and gave to them. There are a number of interesting and important things to point out about this phenomenon, including...
The vendor typically lacks the cybersecurity resources and standards of the larger company, and even...
The vendor often did something especially dumb like leave the data on the internet with no password, yet...
The larger company often still bears explicit legal responsibility for the data loss, and...
The larger company might take the brunt of the PR hit solely for being more visible.
My previous go-to example was Quest Diagnostic in the summer of 2019. They shared data with a collections agency called AMCA which then lost it. Even though the role of AMCA was disclosed, the headlines focused solely on Quest as the more recognizable company and the originator of the data. Quest was of course also still liable under HIPAA.
The examples have kept coming and will keep coming. Just in the past week, Volkswagen announced the loss 3.3 million consumer records. As in the case of Quest, the actual loss occurred at a vendor, in this case a company that had been providing sales and marketing services. As in the case of Quest, it is still Volkswagen that is in the headlines.
Private computation techniques like homomorphic encryption, or federated learning where machine learning and AI applications are important, can help solve these problems. Often data is shared with vendors for circumscribed purposes, and private computation is a way to ensure that data remains encrypted except where a human needs a plaintext insight to directly extract business value.