Today we understand that your data is one of your most precious, strategic assets. But who truly owns or controls this valuable asset, especially when it’s shared with third parties? 

Third party risk is becoming increasingly important – indeed, it was one of the hot topics at the recent Gartner Security & Risk Management Summit 2024

The answer is more complex – and more interesting – than you may think. This article delves into the complexities of data ownership within a company, explores the implications of data sharing, and pinpoints who might be held accountable in the unfortunate event of a data breach.

The Elusive “Owner”: Data Governance within a Company

Unlike physical property, data ownership within a company isn’t always clear-cut. It’s more akin to a complex web of responsibility. While the company itself might be considered the ultimate “owner” from a legal standpoint, a concept known as data governance dictates who manages and controls specific datasets.

Data governance frameworks typically involve a triumvirate of key players:

Sharing the Data: The Third-Party Factor

The equation becomes even more complex when data is shared with third parties. Companies often share data with vendors, service providers, or even marketing partners to gain valuable insights or streamline operations. However, data sharing raises concerns about security and potential misuse.

There is a new type of attack called triple extortion ransomware that directly affects third parties.  

A notable example is the case with Tipalti. ALPHV, the attackers, allegedly stole 265GB of data from Tipalti and demanded a ransom (double extortion). 

However, upon examining the stolen files, the attackers discovered data belonging to Roblox, a much larger company. 

Consequently, the attackers contacted Roblox and demanded a ransom from them as well.

In triple extortion ransomware attacks, the problem becomes more complex:

How would ITsMine protect third parties in this case?

With ITsMine, Roblox could enhance file storage security (e.g., a regular SharePoint site) by ensuring all documents shared between companies in this folder are owned by Roblox, in a dedicated Virtual Vault. 

Utilizing features like File-GPS™ and FileTimeBomb™ , the files can exist outside the Virtual Vault only for a limited time, always remaining under Roblox’s full control.

In the event of a breach such as Tipalti’s, Roblox can:

The Legal Landscape: A Patchwork of Regulations

While data governance establishes internal control mechanisms, the legal landscape surrounding data ownership varies depending on the type of data, industry regulations, and even geographical location. Here’s a glimpse into some key considerations:

Breaches and Responsibility: Who Gets the Blame?

Unfortunately, data breaches are a harsh reality of the digital age. In the event of a breach, determining who is responsible depends on the specific circumstances. Here are some possibilities:

The Rise of Encryption-Less Ransomware: A New Twist on Data Ownership

The concept of data ownership becomes even more critical with the rise of encryption-less ransomware attacks. Unlike traditional ransomware that encrypts a company’s data, encryption-less ransomware focuses on stealing sensitive information and threatening to expose it publicly unless a ransom is paid. This tactic bypasses the need for complex decryption processes, allowing attackers to act faster and potentially cause even greater damage.

Impact on Data Ownership:

Similarly, in the event of a breach or an attempted breach, companies need to know exactly which files were compromised, and retain control over exfiltrated data. Again, this is where ITsMine comes in, but again, we’ll circle back to this shortly.

Addressing the Challenge:

By acknowledging the growing threat of encryption-less ransomware and taking proactive measures, companies can strengthen their data governance practices and better protect their valuable assets.

The Road Ahead: Navigating the Data Labyrinth

Data ownership and responsibility in today’s world are intricate concepts. Companies must navigate a complex web of internal governance structures, evolving regulations, and third-party interactions. Here are some key takeaways:

There’s no better partner for securing your data than ITsMine. With the company’s Encryption-less Ransomware Solution, organizations are able to access:

With Virtual Vaults, which includes proprietary technologies like FileGPS™ and FileTimeBomb™, ITsMine allows you to always be in full control of your sensitive files. 

You can create multiple “Virtual Vaults” within your central file storage system – including OneDrive, Google Drive, Dropbox, NetApp and any Windows/Linux file storage – with just a few clicks. Any folder can instantly be transformed into the safest digital space within your organization within which every file is protected end-to-end, even beyond company boundaries.    

Data is a powerful asset, but with great power comes great responsibility. By implementing a robust data protection solution, understanding the legal landscape, and prioritizing security, companies can navigate the complexities of data ownership and sharing while mitigating the risks of breaches and ensuring responsible data practices.


Encryption-less Ransomware: Best Practices for CISOs to Ensure Protection