+44 (0) 121 582 0192 [email protected]


In the wake of escalating third-party data breaches, data controllers must vigilantly employ their audit rights to gain a comprehensive understanding of such incidents. The recent breach involving Okta, a renowned identity and access management company, underscores the need for this proactive approach. When Okta disclosed the breach, it impacted approximately 2.5% of its customer base, spotlighting the substantial risks and consequences associated with third-party data breaches.


The Perils of Relying Solely on Processor Statements

Traditionally, in the event of a data breach, the affected data processor issues a breach statement. This statement, often crafted with a focus on safeguarding the processor’s brand and limiting reputational damage, may not provide a complete or transparent view of the incident. Data controllers, in their pursuit of compliance and risk mitigation, cannot rely solely on these statements. They are obligated to understand the breach in its entirety, including how it occurred, the data involved, and the measures taken by the processor post-incident.


Invoking Audit Clauses: A Necessary Step

Data controllers must invoke the audit clause in their agreements with third-party data processors. This contractual provision allows them to conduct an independent examination of the breach. The audit should focus on understanding the breach’s nature, the effectiveness of the processor’s incident response, and any gaps in their security measures. This information is pivotal for the data controller to fulfil their regulatory obligations, inform affected parties accurately, and implement necessary changes to their data protection strategies.


Learning from the Okta Incident

The Okta breach, facilitated through a subprocessor, Sykes, highlights the complexity and multi-layered nature of third-party relationships. Hackers infiltrated Sykes’s network, impacting Okta’s customers. The delayed disclosure and the nature of the breach reveal critical lessons for data controllers. It emphasises the need for robust vendor management, continuous monitoring, and the essential role of audits in understanding and mitigating third-party risks.


Mitigating Risks and Ensuring Compliance

Data controllers are responsible for ensuring compliance with data protection laws, such as the GDPR and others globally. Conducting thorough audits after a breach not only helps in regulatory compliance but also plays a significant role in maintaining customer trust and organisational reputation. It allows data controllers to assess their third-party risk management strategies, adapt to evolving cyber threats, and enhance their overall security posture.


In conclusion, the reliance on third-party data processors necessitates a rigorous and proactive approach from data controllers. Invoking audit clauses after a breach provides a more nuanced and comprehensive understanding of the incident, beyond what is offered in a processor’s breach statement. As the digital landscape evolves, so should the strategies of data controllers in managing and mitigating third-party risks, ensuring they remain resilient in the face of such challenges.

In this ever-evolving digital landscape, the need for meticulous and expert-driven third-party audits has become paramount for data controllers. Formiti Data International Ltd’s Global Privacy Audit Service emerges as an invaluable resource in this context. Specialising in comprehensive audits, Formiti’s service is tailored to help data controllers navigate the complexities of third-party data breaches. Their approach goes beyond surface-level assessments, delving deep into the intricate details of how a breach occurred and the subsequent handling by the data processor.