Even with all that, Ulsch noted that protecting the integrity of information remains the primary responsibility of the company. "While various regulations may also hold third parties accountable, never assume that the obligation of compliance is assignable to another company," he wrote.
Finally, Arlen said a major weakness in BAAs or SLAs is that too often they are, "either focused on a specific compliance regulation — be it PCI or HIPAA — which is itself not a 'security' thing but rather a 'cover-asses-in-these-specific-ways' thing.
"The fix we need is meta-compliance — actual security rather than theatre that smells like security," he said.
Sign up for CIO Asia eNewsletters.