How to effectively manage the risk of data breaches by third parties

Since the EU’s General Data Protection Regulation (GDPR) was launched in 2018, corporate legal teams affected by the regulation have had a mixed set of results trying to comply. For example, a survey shows that more than half of GDPR-relevant companies did not respond to consumer requests for their data – an important feature of the new data protection regulations – within the required period of one month, and another 80% of companies complained about the implementation of the GDPR . was more difficult than other data protection or security requirements.

Meanwhile, the USA’s flagship data protection act, the California Consumer Privacy Act (CCPA), goes into effect on July 1st – and more and more chief legal officers (60%) say privacy is the biggest legal challenge facing their organization.

However, as some companies find, compliance with data protection regulations often goes beyond the most heavily observed consumer protection regulations. Earlier this year, online retailer Hanna Andersson suffered a data breach through its external e-commerce partner Salesforce. The resulting class action lawsuit is the first under the CCPA’s privacy policy to seek damages of up to $ 750 per person concerned; Hanna Andersson estimates that up to 10,000 people could be affected by the violation.

Why providers are often a “hidden risk”

It’s not hard to see how the financial ramifications of a breach regulated by the CCPA (or the GDPR, which allows fines of up to $ 20 million or 4% of annual sales) can quickly become an unsustainable risk for any business. However, the Hanna Andersson case was nothing special: In March General Electric suffered a data breach through a Canon subsidiary. T-Mobile also suffered a security breach in March from a third-party email provider.

Indeed, according to some estimates, companies can be more exposed to an indirect data breach than a direct one; A study by the Ponemon Institute found that 61% of companies surveyed found they had a data breach due to lax third-party cybersecurity. What’s worse, 66% of organizations that have experienced a security breach did not have an inventory of which vendors and other third parties had access to their data.

Susanna McDonald, VP and Chief Legal Officer at the Association of Corporate Counsel (ACC), didn’t have this data on hand years ago when she realized that third party access to sensitive corporate data was a growing problem for many global companies.

“For my team, I had to emphasize, among other things, that I view third parties in a completely different and holistic way,” says Susanna. “Maybe we’re using a third-party database system – that’s a third-party type. But then we also outsource some aspects of our services to other providers, which is a different kind of third party provider. So you have to think in several directions to determine whether and how much data you share and store with providers who have access to sensitive areas of your company. “

Statistics from 2019 point to a breathtaking year for third party data breaches, with the number of records disclosed increased 273% year over year to 4.8 billion. An average of 13 million records were disclosed for each third party data breach, making it by far the worst year ever.

What’s worse, a third-party violation costs, on average, twice as much as a normal violation. When you factor in the impact on brand reputation, loss of business, and the potential depreciation of stocks, the total cost of failing to effectively screen and evaluate third parties is approximately $ 13 million. There are also ongoing regulatory requirements for notifying incidents and violations – a completely different set of rules and headaches for many organizations that lack the technology and automated processes to comply with these regulations.

“When you see what your suppliers have access to, you open your eyes to a lot of what’s going on out there,” said McDonald.

Open the ‘black box’ of Vendor Risk

To determine the level of risk to which a company is exposed, the General Counsel and Chief Legal Officer, along with the Chief Privacy and Information Security Officers, must find answers to the following five questions:

  • Who are our suppliers?
  • Which do our data affect?
  • Which specific data do you have access to?
  • Which providers are relevant to data protection?
  • How do you protect our data?

Because vendor risk is sometimes an afterthought, companies often don’t keep an up-to-date list of their vendors. However, this is a critical step in opening the “black box” of risks that vendors pose to your business – whether from external government regulations or internal business requirements.

“These [regulatory] Programs are incredibly complicated, ”says McDonald. “The variety of systems that we have to adhere to are incredibly complex. They have dozens, if not hundreds, of vendors for you to evaluate. And it’s really hard to gauge what is too risky and what is an acceptable level of risk. So it is really important that you have a complete picture of how your data is not only stored but also used. “

Measuring the Benefits of Vendor Risk Services

According to McDonald, the ACC recommends a routine assessment of your third parties, at least annually, to identify and address weaknesses in the management of your business information.

“When we implemented the Vendor Risk Service (VRS) system in our process, we not only revised our contract review process, but also went back to the RFP process,” explains Susanna. “We implemented the VRS system during the RFP process for the final candidates. And it must also contain a preliminary contract that we need to review together with the results of the VRS process matrix so that we can take this information into account when making the decision as to which provider to choose. “

Susanna says these changes have given them insight into their vendors and helped provide a catalog of information required for data mapping – which ultimately streamlines other processes in their department.

“Can you imagine going through an entire tender, then closing the contract, and then trying to negotiate the privacy and security issues only to find out that they don’t meet your needs? And that basically happens a lot. “

Robert Grosvenor, Managing Director at Alvarez & Marsal (UK) agrees that this is an eye-opening experience – but it is a process that is best managed at the beginning of the contractual arrangement.

“It’s about understanding your path to GDPR or data protection compliance and maturity,” Grosvenor said during an Exterro webcast in May. “There are a lot of very good tools that can help. But if you don’t understand what you are buying – the services you get upfront in the contract, the data that goes with them – it’s very difficult to retrofit a vendor risk assessment. “

To protect your business, look for “adequate” third-party security measures

It is important to understand that there is simply no such thing as infallible security. No matter how much a company spends, they cannot ensure that data is not being misused. Courts therefore look for repeatable, consistent and “reasonable” security processes and measures. Do you have a uniform, documented process for assessing risks on the basis of recognized legal framework conditions? This will help reduce the fallout should an injury occur.

Deleting data in accordance with regulations and industry best practices is a critical aspect of adequate security because if you do not store the information, your vendors will not have access to it and you cannot suffer a security breach. This is a core component of appropriate security measures and is under the full control of the organization.

In other words, data that you don’t have cannot be misused. And if old data is not deleted, a claim for negligence is always asserted in the event of a violation.

In the meantime, as more GCs, CLOs, CISOs, and CPOs implement security measures that mitigate third-party risks, we are likely to see many more high-profile data breach and lawsuit cases. If you take proper security measures today, you can keep your business from making headlines tomorrow.

Comments are closed.