- A recent Ponemon study found that over half of its respondents had experienced a data breach caused by a third party
- Why the “fingers crossed” approach will not mitigate third-party privacy risks
- 4 essential steps to managing third-party privacy risks
Read more below.
“No man is an island, entire of itself; every man is a piece of the continent, a part of the main.”
If no man is an island, as the English author John Donne famously proclaimed, neither is any business a fortress in this interconnected age. Thanks to digitalization, small businesses like neighborhood food trucks are outsourcing payment processing to mobile payment vendors, and larger businesses are outsourcing major business functions along with relevant customer information.
Unfortunately, a new Ponemon study shows that privacy and security practices haven’t caught up with our interconnected reality. Over half of the survey respondents reported that their organization had experienced a data breach caused by a third party.
Yet over half also reported that their organizations are not assessing or managing the security and privacy risks associated with third parties, in part because those tasked with third-party management don’t have the expertise, and “it’s complicated.”
Privacy is complicated, but third-party relationships entail serious risks—risks that privacy teams have the expertise to help manage and mitigate. By helping to identify and manage third-party risks from the beginning of the business relationship, they can protect their organizations and also make their own jobs a lot simpler down the line.
A “Fingers Crossed” Approach
In the intro to the new Ponemon study, SecureLink CEO Joe Devine describes the typical approach to third-party risks as “fingers crossed.” As he rightly points out, the issue with this approach is not if data breaches will happen, but when, and how big they’ll be.
Every privacy professional knows that pointing at a negligent third party will not absolve an organization of regulatory responsibility, yet 63% of the Ponemon respondents say their businesses rely on the reputation of the third-party in selecting vendors, and only 48% believe their vendors are even aware of the breach reporting requirements in their industry.
Data security is an important part of third-party privacy (and the reason that SecureLink sponsored the study). But without assurance of a vendor’s privacy practices and incident reporting capability, organizations are still in for trouble.
To fully manage third-party risk, the privacy team needs to be involved at all stages of third-party relationships.
Step 1: Vetting Third-Party Vendors
One of the simplest ways to mitigate third-party risks is to choose vendors that already have good privacy and security practices in place. Yet:
- Over half (51%) of the Ponemon study respondents said their organizations don’t assess the security and privacy practices of third parties during the selection process
- 61% say their third-party management program does not define or rank levels of risk
- Only 39% even require a majority of potential vendors to fill out a security questionnaire
Privacy teams need to get involved in the third-party selection process and help develop risk assessment tools and criteria.
Depending on the level of information to be entrusted to the vendor, vetting processes could include:
- A review of the vendor’s security policies and processes
- A review of their data breach and compliance history
- Looking at customer reviews and complaints about privacy
- Investigation into any subcontractors that the vendor may bring into contact with your information
With centralized management of third-party sourcing and relationships, it may be easier for the privacy team to become part of the process. If your organization is one of the 53% where this function isn’t centralized, the privacy team may have to rely on relationships with business managers in functional areas to learn about third-party vendor selection and get involved.
Step 2: Onboarding and Day-to-Day Management
Once third-party partners are hired, their privacy risks need to be managed like any other business function, but this is more the exception than the rule. According to the Ponemon study, 54% of those surveyed said their organizations don’t monitor the security and privacy practices of the third parties with whom they share PII, and 54% don’t even have a comprehensive list of third parties with access to their internal networks.
Instead of monitoring third-party access to data, 61% said their organizations rely instead on contract terms with third parties to keep information safe. (Again, not an excuse that regulators will accept.)
If third-party staff have access to private or sensitive data, they need the same privacy training and regulatory updates as internal staff. Third-party policies and processes should be reviewed periodically, and there should be one or more designated privacy and compliance liaisons and advocates within each third-party organization. When privacy regulations change, third-party processes, policies, and contracts need to be updated for compliance.
When privacy teams are working with their IT partners to create and maintain data maps, those maps should include data shared with third parties, how it’s used, and who has access.
With new regulations such as CCPA requiring transparency about the use of personal information, privacy teams need to keep on top of third-party data usage. Privacy and security teams should also collaborate on minimizing and de-identifying data shared with third parties wherever possible.
Free Whitepaper: The CISO’s Secret Tool for Reducing Enterprise Risk: Operationalizing Privacy Incident Response.
Step 3: Incident Reporting
Setting up privacy controls for third-party vendors may take time, but they should be ready to report incidents from the day they first have access to private and sensitive information. Their staff should know how to identify an incident and how to report it, either directly into your incident management platform or to a private contact within your organization.
The incident response team needs to be armed with an automated incident response platform that provides up-to-date risk assessment across all applicable jurisdictions and data sets. With the automated platform, a liaison within the vendor company, and a data map that includes third-party data and mitigation measures, the incident response team should be able to assess the incident, make notification decisions, and meet compliance deadlines almost as efficiently as they could with an in-house incident.
Step 4: Building Bridges
No organization is an island these days, certainly not where information is concerned. Instead, businesses and their partners form complex ecosystems of information and access. But judging by the Ponemon report, the security and privacy functions are still often isolated from what’s happening with third parties.
In order to manage third-party risks effectively, privacy and security teams will need to build bridges, first with the internal players who choose and manage third-party relationships and then with their counterparts within those companies. That will take time and effort and it may begin with baby steps, but the stakes are high.