Third-Party Data Protection: Are Your Vendors Prepared?
By: Lisa-Mae Hill, CTPRP on October 2 2024
6 min read
Cybersecurity incidents, such as data breaches and ransomware attacks, have become increasingly common in recent years. Threat actors from around the globe continue to target a wide range of industries and organizations of all sizes. The consequences of these incidents can range from operational disruptions and reputational damage to legal action and financial loss. Implementing a robust cybersecurity program that follows industry best practices on data protection can help minimize the impact of these incidents.
However, ensuring your organization is ready to protect against data breaches is only half of the equation – your vendors play an equally important role in safeguarding your sensitive information. By assessing your vendor’s preparedness and implementing data protection best practices into your third-party risk management (TPRM) program, you can identify additional risks and protect your data.
The Importance of Third-Party Data Protection
When thinking about the importance of third-party data protection, it may help to shift your perspective towards a personal level. Chances are, your own sensitive data is handled by several organizations, such as financial institutions, healthcare providers, and online retailers. You would expect each of these organizations to safeguard your data, even if it’s being accessed or stored by a third party, like a cloud service provider.
The same principle applies to your organization and protecting your customers’ data. Third-party data protection is your organization’s responsibility to ensure your vendors are prepared to prevent, identify, and respond to incidents that can expose your customers’ data. Integrating third-party data protection practices into your TPRM program can help build and maintain trust with your customers, prevent financial loss, and meet regulatory requirements.
Regulatory Requirements for Third-Party Data Protection
Many regulators have outlined significant cybersecurity requirements for organizations, including data protection practices. These requirements can extend to third-party data protection in many cases where a vendor has access to sensitive information. These regulations cover many different industries in several countries, highlighting the importance of TPRM and protecting data.
Here is a brief overview of regulatory requirements that pertain to third-party data protection:
- Gramm-Leach-Bliley Act (GLBA) – This requires organizations involved in finance to safeguard the security and confidentiality of their customers’ non-public personal information (NPPI). Per the requirements, organizations should have written data protection policies and practices.
- General Data Protection Regulation (GDPR) – This EU regulation is designed to protect a customer’s data and privacy. Third-party data protection is achieved by establishing a data processing agreement with your vendors and including data breach notification requirements in your contracts.
- Health Insurance Portability and Accountability Act (HIPAA) – The Privacy Rule and Security Rule require organizations to safeguard protected health information (PHI). HIPAA includes third-party data protection practices such as performing risk assessments on business associates and developing contracts to ensure PHI is safeguarded.
- Prudential Standard CPS 234 Information Security (CPS 234) – This regulation from the Australian Prudential Regulation Authority (APRA) aims to keep organizations resilient against cybersecurity incidents. Data that is managed by third parties should be protected through activities like risk assessments, due diligence, and control testing.
- State privacy laws – California was the first state to enact a data privacy law, which has been amended to the California Privacy Rights Act (CPRA). Many other states have also passed their own laws that protect their citizens’ data privacy. In general, these privacy laws contain language to ensure organizations and their third parties are protecting data from unauthorized use or disclosure. The New York Department of Financial Services (NYDFS) also has a cybersecurity regulation titled NYCRR 500, which requires financial institutions to have certain data protection practices in place. Organizations must report third-party cybersecurity incidents and include vendors in their business continuity and disaster recovery plans.
Are Your Vendors Prepared to Protect Data?
When performing due diligence on a vendor, you should be sure to identify any potential risks and weaknesses that could leave your organization vulnerable to a data breach. You must ensure the vendor can protect the data from hackers, especially if the vendor has access to sensitive data.
Here are some questions that can help determine the effectiveness of your third party’s data protection practices:
- Does the vendor remain updated on changes to regulations and new data protection laws?
- What controls are in place to protect your customers’ sensitive data?
- How does the vendor train their staff on cybersecurity best practices?
- Does the vendor run network and social engineering tests to check how well it can identify common cyberattacks such as phishing emails?
- What effective incident response plans are in place?
- How would the vendor handle follow up and resolution to data breaches?
- What methods are used to protect data in transit and at rest?
- Does the vendor have policies for data retention, data destruction, and data privacy?
- Do the vendor’s policies address data in both physical and electronic formats?
Understanding how the vendor would handle an incident may give you a good idea of any risks present and how well the vendor’s procedures and priorities align with those of your organization. New risks and vulnerabilities can emerge at any time, so your organization should continue to review and assess third-party data protection practices throughout the relationship. Additionally, as regulatory guidelines continue to evolve to protect organizations and set strict standards for data protection, it’s important to ensure your organization and your vendors comply, or risk heavy fines.
Don’t Forget Your Fourth-Party Vendors
Another important step for your third-party data protection strategy is to understand the risks that fourth-party vendors may pose. While it’s possible to set standards and report on your third parties, mitigating fourth-party risk can be difficult. However, by communicating with your critical vendors to receive information, including their vendor management policies and lists of their critical vendors, you can gain insights into any potential security risks from a fourth party.
Best Practices for Third-Party Data Protection
The initial due diligence process is only the first part of the third-party relationship, and the risks associated with your third party will continue to exist throughout your entire relationship. Just as you’ll regularly assess your vendor’s performance, services, and financial health, for example, it’s also imperative to perform ongoing due diligence to check for cybersecurity measures.
Here are several suggested best practices for implementing third-party data protection into your third-party risk management strategies:
- Only share sensitive data with vendors when necessary, and don’t give vendors access to sensitive data when it isn’t required. This is known as the principle of least privilege, which means that no one should access data unless they need it to perform their duties. This key third-party data protection practice ensures your data isn’t at a greater risk of exposure.
- Assess the third party’s cybersecurity risks. Before beginning a third-party relationship, your organization will want to ensure the third party has data protection policies and practices in place. During due diligence, it’s important to review the third party’s documentation and assess their data security practices in areas like management, retention, destruction, and encryption. Security testing, incident management, and employee training should also be assessed to determine effectiveness.
- Monitor your vendor for any changes in risk and performance. A sudden decline in a vendor’s performance or a rise in vulnerabilities may indicate that their data protection practices are becoming less effective. For example, maybe the vendor’s penetration testing results reveal a month-to-month increase of critical vulnerabilities over the past year. This should initiate a closer look at the vendor’s controls to identify the issues and determine any next steps for the relationship.
- Make data protection a priority in third-party contracts. Contracts are one of the best tools to outline third-party data protection requirements. Third-party contracts should include requirements about data breach notifications and the right to audit the vendor’s cyber policies and procedures. You may also want to include security testing requirements and expectations on regulatory compliance.
- Maintain the expectations of your organization and stay up to date with updated laws and regulations. Compliance expectations should be clearly communicated with your vendor to ensure you’re both following the same data protection standards. As new data protection laws and regulations are released, it’s still your responsibility to ensure compliance within your organization and any vendors that have access to your data.
To best protect your organization and your customers, you must remain vigilant. By implementing third-party data protection and continuing to monitor your vendors, you will be able to mitigate cybersecurity risks and protect your organization from disastrous data breaches.
Related Posts
Cloud Service Provider Breach: Lessons From the Snowflake Attack
If your organization relies on a cloud service provider (CSP), the recent Snowflake data breach has...
Third-Party Risk Management Best Practices for the Energy Industry
Energy organizations face the global challenge of complying with diverse regulations. These...
Why Law Firms Need to Do Third-Party Risk Management
As a legal professional, you probably know the importance of risk management for your law firm....
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.