Assuming this is a DC (Co X) - DP (Co A) arrangement, Co X currently carries the full liability for CMPs. The contract could include clauses to attempt to recover damages from Co A.
In the GDPR world, Co A has requirements for compliance, and consequently has potential liability for penalties. Co X has as well. if Co X has not done sufficient due diligence on Co A, the ICO might deem them more culpable.
As to insurance, that's something to discuss with your insurers, but 4% of global t/o plus several tens (to thousands) of thousands of pounds in costs and other losses might be a starting point.
> On 8 Mar 2017, at 16:56, Danny Budzak <[log in to unmask]> wrote:
>
> Hi,
>
> With more organisations using cloud services, does anyone have any thoughts or practical experience of insurance issues?
>
> For example, organisation X uses a cloud service (for example, for job recruitment) with company A.
>
> Company A is responsible for the information security of the service - both in terms of technology (firewalls, anti-virus) and people (training of their staff, confidentiality clauses and so on).
>
> Company A then manages to lose personal data.
>
> ICO imposes fine.
>
> Who pays? Organisation X or Company A?
>
> And....does organisation X have to make sure that Company A has the relevant type of insurance to cover a data breach? If so, what sort of sum should be insured for?
>
> any thoughts on or off list - or practical examples would be greatly appreciated
>
> thanks + rgds
>
> Danny
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|