Increasingly, organizations look to third parties to collect, process, and store their data. In some instances, organizations reduce their net risk by outsourcing these data functions to companies with a core competence in data protection. In many other cases, the economic benefit of outsourcing can come at a compliance cost. Estimates of how often data breaches are caused by third-party vendors and service providers vary widely. We have seen estimates from 12 percent to 63 percent.1 Below, we identify key considerations for organizations to reduce this compliance and data protection risk.
1. Conduct Privacy and Data Protection Risk Assessments that Cover Third Parties
Conducting a comprehensive privacy and data protection risk assessment can help an organization mitigate its risk exposure. Risk assessments should cover third-party access to its data, systems, and facilities. The assessments help an organization identify threats and vulnerabilities, and take steps to mitigate them. The Federal Trade Commission first imposed this requirement on financial institutions pursuant to the Gramm-Leach-Bliley Act2, and it has expanded to cover other entities. Often, parties can leverage existing assessments conducted by trusted third parties. The documentation associated with a draft and final contract should record an organization’s key understandings of data access, and the organization should have a process in place to revisit the sufficiency of controls before allowing the vendor more extensive access.
2. Classify Data and Map Data Flows
Regularly performing data classification and data flow mapping exercises is an integral step in an organization’s risk management process. Classifying data means to place data elements into such categories as top secret, sensitive personal data, business confidential, personal data, and non-personal/ non-confidential. Once data is classified and an organization has identified the types of data it has and can create corporate policies around handling and processing each of the data types. Mapping data flows is an exercise to document how and why an organization’s data is collected and moves among systems, departments, and third parties.
Together, documented data classifications and data maps provide an organization with a full picture of how it handles data. Armed with data classification policies and data maps, an organization can better identify and mitigate threats and vulnerabilities. For example, with this knowledge, an organization can limit the types of data that flow among systems, departments, and third parties to only that which is necessary, thereby reducing risks from data breaches. Again, if the vendor relationship changes through a series of subsequent service agreements, an organization should have a process in place to determine whether changes to the data flows would require revision to the data protection procedures.
3. Document, Implement, Review, and Update Appropriate Policies and Procedures
An organization benefits from documenting, using, and updating its policies and procedures covering data collection, use, sharing, and protection. An organization should also provide regular training on its policies and procedures. These actions can help create a culture of privacy and data protection. The policies and procedures should cover how the organization works with third-party vendors who will have access to the organization’s data, network, and facilities. The policies and procedures might include, for example, standard questionnaires for vetting prospective vendors, key terms to include in contracts that may allow third parties access to information or information systems, and a process to identify repeat issues and build a database of appropriate negotiation responses.
4. Perform Due Diligence Prior to Working with Third Parties
One of the most valuable actions an organization can take to reduce cyber risk is to perform appropriate diligence when selecting third parties that will have access to the organization’s data, systems, and facilities. The National Institute of Standards and Technology’s (“NIST”) recent updates to its Framework for Improving Critical Infrastructure Cybersecurity highlight a focus on supply chain risk management. The level of due diligence should correspond to the perceived level of risk from the third party, such as the sensitivity and volume of the data involved, and the purpose for which the third party has access to the data, systems, and facilities. Due diligence may comprise carefully reviewing documents provided by the third party, including answers to questionnaires, third-party audit conclusions, compliance with known industry standards (e.g., implementation of NIST, ISO, and SANS critical security controls), internal training provided to employees, cyber insurance policies, and internal policies and procedures. More rigorous due diligence includes on-site audits, performing penetration testing of online services, and hiring a third-party auditor to audit the third party.
5. Perform Ongoing Oversight of Third Parties
Ongoing oversight of third parties is important and should be adjusted based on the types and volume of data handled by the third party, the third party’s uses of the data, and the ever-changing data security environment. Even when an organization performs thorough due diligence at the time it selected the third party, the value of such diligence decreases over time. Periodic checks of both the third party’s performance and how an organization’s relationship with the third party has changed can provide important situational awareness. Knowing when a relationship has fundamentally changed (or is about to) is a key signal to renew and adjust diligence efforts.
6. Ensure Agreements with Third Parties Appropriately Assign Risk
An organization can reduce risk and liability for third-party data breaches by ensuring it has contractually protected itself. In its agreements with third parties, an organization should ensure that third parties are required to comply with certain data security and privacy practices that flow down to subcontractors, and that the organization can audit the third parties’ practices. Contracts should also assign detailed responsibilities to the parties in the event of a data breach, such as describing third-party actions that must be taken to mitigate harm from the breach, requiring ongoing third-party reports of the breach investigation progress, and assigning payment obligations for any notifications and credit monitoring provided to affected individuals.
An organization should also avoid caps on damages under the contract that would severely impact an organization’s ability to recover its damages from a data breach. Additionally, the contract should require the third party to cover the organization for any claims made by affected individuals or customers as a result of a third party’s data breach.
7. Obtain Cyber Insurance Coverage and Require Third Parties to Have Applicable Insurance Policies
An organization can greatly benefit from a cyber insurance policy that covers the primary risks it faces from data breaches. The cyber insurance policy may also cover data breaches involving third parties. An organization should additionally consider contractually requiring third parties to carry cyber insurance that will pay the organization’s damages in the event of a data breach. A third party that has cyber insurance will have gone through some scrutiny of its data security practices during the underwriting process. If the organization wants to rely on the third party’s insurance coverage, though, it is also important that the organization review the third party’s policy for exclusions (such as an exclusion for claims arising from contractual obligations) that could prevent it from recovering under the policy if the third party experiences a data breach.
In a world where fully secure data is not an achievable goal, organizations can significantly benefit from taking multiple steps to reduce information and systems security risk. As noted, working with third parties can both increase and reduce risk. Third parties may have data security measures in place that an organization does not have. Regardless, an organization should take steps, including those described above, to protect itself in the event a third party has a data breach affecting the organization’s data. Merely assuming that a third party will secure information assets consistent with the organization’s standards and expectations can have disastrous effects.
One estimate from RADAR, Inc. indicated that approximately 12 percent of breaches of the sample set of 10,000 incidents from the past year were caused by third parties. IAPP, Surprising stats on third-party vendor risk and breach likelihood, available at iapp.org. A survey of enterprise-level organizations by Soha Systems indicated that third parties accounted for approximately 63 percent of data incidents. Soha Systems, Third Party Access Is a Major Source of Data Breaches, Yet Not an IT Priority, available at go.soha.io.
Fed. Trade Comm’n, Standards for Safeguarding Customer Information, 16 C.F.R. § 314.4 (b), (d), hereinafter FTC Safeguards Rule, available at ftc.gov.
For example, Massachusetts enacted a law modeled on the FTC Safeguards Rule requiring any entities with personal data about Massachusetts residents to perform risk assessments that include vendor oversight. Massachusetts’ 201 CMR 17.03 (2)(b), hereinafter Massachusetts Data Security Law, available at mass.gov. Payment card standards also require merchants to perform risk assessments, including those of payment-related service providers. Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures Version 3.2, § 12.8.3 (April 2016), hereinafter PCI DSS, available at pcisecuritystandards.org.
Fed. Trade Comm’n, Protecting Personal Information: A Guide for Business, hereinafter FTC Business Guide, available at ftc.gov. (“Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities.”). Data mapping is likely required to comply with the EU’s General Data Protection Regulation (GDPR), Art. 30, available at data.consilium.europa.eu.
FTC Safeguards Rule, 16 C.F.R. § 314.4 (“Tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”); Massachusetts Data Security Law, 201 CMR 17.03 (2)(f)(1) (same). See also the EU’s General Data Protection Regulation (GDPR), Art. 28 (“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”).
NIST, Framework for Improving Critical Infrastructure Cybersecurity, DRAFT, available at nist.gov (with markup). The draft framework is also available without markup at nist.gov (“NIST Cybersecurity Framework”).
NIST Cybersecurity Framework, at 17 (“Verify cybersecurity requirements are met through a variety of assessment methodologies.”).
The PCI DSS requires merchants to annually assess service providers’ PCI DSS compliance level. PCI DSS, § 12.8.4. See also NIST Cybersecurity Framework, at ID.SC-4 (“Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted.”).
FTC Safeguards Rule, 16 C.F.R. § 314.4 (d)(2) (“Requir[e] your service providers by contract to implement and maintain such safeguards.”); Massachusetts Data Security Law, 201 CMR 17.03 (2)(f)(2) (same); NIST Cybersecurity Framework, at ID.SC-3 (“Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan.”).