Mitigating Third Party Data Breach Risks

by Reed Smith

Reed Smith

Increasingly, organizations look to third parties to collect, process, and store their data.  In some instances, organizations reduce their net risk by outsourcing these data functions to companies with a core competence in data protection.  In many other cases, the economic benefit of outsourcing can come at a compliance cost. Estimates of how often data breaches are caused by third-party vendors and service providers vary widely. We have seen estimates from 12 percent to 63 percent.1 Below, we identify key considerations for organizations to reduce this compliance and data protection risk.

1. Conduct Privacy and Data Protection Risk Assessments that Cover Third Parties

Conducting a comprehensive privacy and data protection risk assessment can help an organization mitigate its risk exposure. Risk assessments should cover third-party access to its data, systems, and facilities. The assessments help an organization identify threats and vulnerabilities, and take steps to mitigate them. The Federal Trade Commission first imposed this requirement on financial institutions pursuant to the Gramm-Leach-Bliley Act2, and it has expanded to cover other entities. Often, parties can leverage existing assessments conducted by trusted third parties. The documentation associated with a draft and final contract should record an organization’s key understandings of data access, and the organization should have a process in place to revisit the sufficiency of controls before allowing the vendor more extensive access.

2. Classify Data and Map Data Flows

Regularly performing data classification and data flow mapping exercises is an integral step in an organization’s risk management process. Classifying data means to place data elements into such categories as top secret, sensitive personal data, business confidential, personal data, and non-personal/ non-confidential. Once data is classified and an organization has identified the types of data it has and can create corporate policies around handling and processing each of the data types. Mapping data flows is an exercise to document how and why an organization’s data is collected and moves among systems, departments, and third parties.

Together, documented data classifications and data maps provide an organization with a full picture of how it handles data.  Armed with data classification policies and data maps, an organization can better identify and mitigate threats and vulnerabilities. For example, with this knowledge, an organization can limit the types of data that flow among systems, departments, and third parties to only that which is necessary, thereby reducing risks from data breaches.  Again, if the vendor relationship changes through a series of subsequent service agreements, an organization should have a process in place to determine whether changes to the data flows would require revision to the data protection procedures.

3. Document, Implement, Review, and Update Appropriate Policies and Procedures

An organization benefits from documenting, using, and updating its policies and procedures covering data collection, use, sharing, and protection.  An organization should also provide regular training on its policies and procedures. These actions can help create a culture of privacy and data protection.  The policies and procedures should cover how the organization works with third-party vendors who will have access to the organization’s data, network, and facilities. The policies and procedures might include, for example, standard questionnaires for vetting prospective vendors, key terms to include in contracts that may allow third parties access to information or information systems, and a process to identify repeat issues and build a database of appropriate negotiation responses.

4. Perform Due Diligence Prior to Working with Third Parties

One of the most valuable actions an organization can take to reduce cyber risk is to perform appropriate diligence when selecting third parties that will have access to the organization’s data, systems, and facilities. The National Institute of Standards and Technology’s (“NIST”) recent updates to its Framework for Improving Critical Infrastructure Cybersecurity highlight a focus on supply chain risk management. The level of due diligence should correspond to the perceived level of risk from the third party, such as the sensitivity and volume of the data involved, and the purpose for which the third party has access to the data, systems, and facilities.  Due diligence may comprise carefully reviewing documents provided by the third party, including answers to questionnaires, third-party audit conclusions, compliance with known industry standards (e.g., implementation of NIST, ISO, and SANS critical security controls),  internal training provided to employees, cyber insurance policies, and internal policies and procedures. More rigorous due diligence includes on-site audits, performing penetration testing of online services, and hiring a third-party auditor to audit the third party. 

5. Perform Ongoing Oversight of Third Parties

Ongoing oversight of third parties is important and should be adjusted based on the types and volume of data handled by the third party, the third party’s uses of the data, and the ever-changing data security environment.   Even when an organization performs thorough due diligence at the time it selected the third party, the value of such diligence decreases over time.  Periodic checks of both the third party’s performance and how an organization’s relationship with the third party has changed can provide important situational awareness.  Knowing when a relationship has fundamentally changed (or is about to) is a key signal to renew and adjust diligence efforts.

6. Ensure Agreements with Third Parties Appropriately Assign Risk

An organization can reduce risk and liability for third-party data breaches by ensuring it has contractually protected itself.   In its agreements with third parties, an organization should ensure that third parties are required to comply with certain data security and privacy practices that flow down to subcontractors, and that the organization can audit the third parties’ practices.  Contracts should also assign detailed responsibilities to the parties in the event of a data breach, such as describing third-party actions that must be taken to mitigate harm from the breach, requiring ongoing third-party reports of the breach investigation progress, and assigning payment obligations for any notifications and credit monitoring provided to affected individuals.
An organization should also avoid caps on damages under the contract that would severely impact an organization’s ability to recover its damages from a data breach.  Additionally, the contract should require the third party to cover the organization for any claims made by affected individuals or customers as a result of a third party’s data breach.

7. Obtain Cyber Insurance Coverage and Require Third Parties to Have Applicable Insurance Policies

An organization can greatly benefit from a cyber insurance policy that covers the primary risks it faces from data breaches.  The cyber insurance policy may also cover data breaches involving third parties.  An organization should additionally consider contractually requiring third parties to carry cyber insurance that will pay the organization’s damages in the event of a data breach.  A third party that has cyber insurance will have gone through some scrutiny of its data security practices during the underwriting process.  If the organization wants to rely on the third party’s insurance coverage, though, it is also important that the organization review the third party’s policy for exclusions (such as an exclusion for claims arising from contractual obligations) that could prevent it from recovering under the policy if the third party experiences a data breach.


In a world where fully secure data is not an achievable goal, organizations can significantly benefit from taking multiple steps to reduce information and systems security risk.  As noted, working with third parties can both increase and reduce risk.  Third parties may have data security measures in place that an organization does not have.  Regardless, an organization should take steps, including those described above, to protect itself in the event a third party has a data breach affecting the organization’s data.  Merely assuming that a third party will secure information assets consistent with the organization’s standards and expectations can have disastrous effects.

  1. One estimate from RADAR, Inc. indicated that approximately 12 percent of breaches of the sample set of 10,000 incidents from the past year were caused by third parties. IAPP, Surprising stats on third-party vendor risk and breach likelihood, available at A survey of enterprise-level organizations by Soha Systems indicated that third parties accounted for approximately 63 percent of data incidents.  Soha Systems, Third Party Access Is a Major Source of Data Breaches, Yet Not an IT Priority, available at
  2. Fed. Trade Comm’n, Standards for Safeguarding Customer Information, 16 C.F.R. § 314.4 (b), (d), hereinafter FTC Safeguards Rule, available at
  3. For example, Massachusetts enacted a law modeled on the FTC Safeguards Rule requiring any entities with personal data about Massachusetts residents to perform risk assessments that include vendor oversight.  Massachusetts’ 201 CMR 17.03 (2)(b), hereinafter Massachusetts Data Security Law, available at Payment card standards also require merchants to perform risk assessments, including those of payment-related service providers. Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures Version 3.2, § 12.8.3 (April 2016), hereinafter PCI DSS, available at
  4. Fed. Trade Comm’n, Protecting Personal Information: A Guide for Business, hereinafter FTC Business Guide, available at (“Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities.”). Data mapping is likely required to comply with the EU’s General Data Protection Regulation (GDPR), Art. 30, available at
  5. FTC Safeguards Rule, 16 C.F.R. § 314.4 (“Tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations.”); Massachusetts Data Security Law, 201 CMR 17.03 (2)(f)(1) (same). See also the EU’s General Data Protection Regulation (GDPR), Art. 28 (“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”).
  6. NIST, Framework for Improving Critical Infrastructure Cybersecurity, DRAFT, available at (with markup). The draft framework is also available without markup at (“NIST Cybersecurity Framework”).
  7. NIST Cybersecurity Framework, at 17 (“Verify cybersecurity requirements are met through a variety of assessment methodologies.”).
  8. The PCI DSS requires merchants to annually assess service providers’ PCI DSS compliance level. PCI DSS, § 12.8.4.  See also NIST Cybersecurity Framework, at ID.SC-4 (“Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted.”).
  9. FTC Safeguards Rule, 16 C.F.R. § 314.4 (d)(2) (“Requir[e] your service providers by contract to implement and maintain such safeguards.”); Massachusetts Data Security Law, 201 CMR 17.03 (2)(f)(2) (same); NIST Cybersecurity Framework, at ID.SC-3 (“Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan.”).


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:

Reed Smith

Reed Smith on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.