Third-Party Notification Module

Entities in the finance, insurance, healthcare, and other highly regulated industries must comply with an increasingly complex maze of breach notification rules. Adding contractual notification obligations to the mix makes an already difficult task practically impossible to manage.

Organizations owning or processing regulated data can have hundreds if not thousands of clients, business associates, service providers, and other external entities with whom they do business. These business relationships mandate protection of regulated data and require notification to the data owners if there is an unauthorized disclosure of the data due to malicious or inadvertent incidents.

Until now, managing contractual notifications has been a manual, time-consuming process that requires sifting through contracts, and creates risk of noncompliance. Contractual notification obligations are often measured in hours or days rather than weeks or months, providing a major challenge to compliance. Noncompliance can result in serious consequences, including termination of relationships if obligations are not satisfied.

Regulatory jurisdictions are displayed alongside the contractual jurisdictions, allowing you to easily scan and prioritize your data breach response.

Introducing Contractual Obligation Workflow

With this patented feature, you can manage contractual notification obligations for both your upstream and downstream business relationships with clients, service providers, and business associates.

For managing upstream notification obligations to your clients, Radar® seamlessly extends its regulatory workflow to identify and provide guidance on all relevant incidents involving client data and contractual notification requirements.

For tracking downstream notification obligations from service providers or business associates that process your data, Radar® establishes a process for managing and gaining insights about which of your downstream entities pose high risk to your organization and how well they comply with their notification obligations.

You can take advantage of a fully integrated Radar® workflow to manage all regulatory and contractual incident response obligations, prove compliance, and mitigate risks stemming from incidents involving your own data or data that you process for your clients.

Third-Party Notification Module

• Efficiently manages your contractual notification
  obligations with clients or upstream entities (who you
  must notify)
• Effectively monitors compliance by your service providers or downstream entities (who must notify you)
• Uses the Radar® Breach Guidance Engine to assess the risk associated with an incident, and determine whether one or multiple clients must be notified
• Captures important contractual notification details for each external entity, including multiple notification timelines and contacts
• Provides easy tracking of notification due dates and proof of compliance with contractual obligations
• Allows for a nuanced configuration in which downstream entities act an agent of your organization, to more accurately specify the correct incident discovery date
• Tracks if your downstream entities remain compliant with contracts, so you may better identify which entities present a risk to your business

Managing PCI Incidents with the Contractual Obligations Workflow

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply to companies working with and associated with payment cards, including merchants, financial institutions, point-of-sale vendors, and hardware or software developers who create and operate the global infrastructure for processing payments.

If your organization’s PCI data is compromised in an incident, that incident must undergo a multi-factor risk assessment in order to determine if the incident qualifies as a data breach and requires notification to state and federal regulators.

In addition, your organization may be contractually obligated to notify multiple credit card issuers, merchants, and associations of this data breach. The Contractual Obligations Workflow can help meet these notification requirements for incidents involving PCI data.

Third Party Notifications Use Case

A RadarFirst customer in the healthcare industry relies on regulated data to conduct business. It is also partnered with dozens of vendors and business associates who access the company’s data in order to conduct business. Each vendor and associate, as well as the organization itself, has a unique process for, and requirements around, data breach notifications. Failure to comply with these unique data breach mandates can result in termination of profitable relationships, as well as a steep loss of trust from stakeholders and customers of all parties.

The healthcare organization has found incredible value in its use of third parties to increase its resources with limited headcount budgets; for example, it’s vendors and partners support their data processing and data analytics needs. However, they are not unaware that third parties also pose a risk, particularly as they are in a highly regulated industry. When a data breach occurs within a third party, the notification obligations increase nearly 4X, according to RadarFirst’s 2023 privacy incident management benchmarking report.

The organization has long performed risk assessments before onboarding or partnering with third parties, and believed that they had therefore been doing their due diligence to avoid partnering with entities that posed a high, or unnecessary, risk. That is, until the inevitable data breach occurred at their partnered data analytics firm and the healthcare organization struggled to identify the details of the incident, and whether or not they needed to notify their clients of a breach of their PI.

Radar® was already helping them simplify compliance with global data breach laws, so the organization turned to RadarFirst to adopt the Third Party Notification Module as well, in order to ensure their streamlined privacy incident management processes also included all third parties. They quickly realized that waiting until an incident has occurred to start preparations just doesn’t make sense given the current regulatory climate.

The Third Party Notification Module in Radar® allowed the healthcare organization to efficiently manage their contractual notification obligations with clients and upstream entities, whom they were required to notify in case of a breach, as well as to effectively monitor compliance by their service providers and downstream entities.

The module also helped the privacy team capture important contractual notification details for each external entity, including multiple notification timelines and contacts.

The result for the healthcare organization was a reported 95% reduction in number of missed contractual obligations, which allowed them to maintain their highly valuable third party relationships while protecting their brand, reputation—and, importantly, their customers—from unnecessary exposure and risk.