Jordan Abbott, a compliance attorney at Acxiom, didn't mince words when he opened the pre-conference session at the IAPP's Privacy. Security. Risk. 2015 conference on vendor management.
"Bottom line you’re going to take away from this program is: vendors are a problem," Abbott said.
That's because businesses have hundreds of thousands of vendors for myriad uses. It can be incredibly difficult to keep track of vendor compliance with the rules and regulations your organization is required to comply with. To have a fighting chance at it, panelists said at "Vendor Compliance: Drowning In a Sea of Vendors," it's essential to classify vendors by type, then the kind of access to data they have and finally applying rules around the data vendors will use for various services.
Abbott said there’s been an uptick in vendor management oversight programs due to three things: Increased oversight from various entities, including the Consumer Financial Protection Bureau; the Office of the Comptroller's expectations of vendor-management program oversight, and HIPAA’s Privacy and Security rules.
Abbott advised that before selecting a vendor, the first step is pretty simple: Do a Google search. Make sure the vendor is in good financial standing. Then go a little deeper. Request the service provider’s policies and procedures, look at their internal controls and training materials to ensure appropriate training and oversight of employees.
The risks of not doing so are real. Anyone who doesn't think so might look at the most famous subcontractor of all time, perhaps.
“I live in fear of the next Snowden,” Abbott said. “Do we have someone doing work for us who's amassing all data flowing within Acxiom, from Acxiom to Acxiom?”
Other concerns for him are sub vendors−for whom compliance checks can be even more difficult to perform than with the initial vendor−or consumer-facing vendors who communicate with the customer on behalf of the company.
JPMorgan Chase's Zoe Strickland said that in the financial space, regulators "are all over this, formally and informally." She said on managing vendors, one “really can’t underestimate importance external environment is creating here.”
While years ago it was the privacy officer who took care of things and senior folks didn’t totally understand how things worked, Strickland said the senior management folks are starting to care and understand it. The risks are increasingly apparent.
Panelists agreed in large part that most important is to find a place to start. If your organization uses hundreds or even thousands of vendors, maybe you start checking compliance by selecting those vendors on which the highest spends are made.
And frameworks are important, they said.
JPMorgan Chase employs a third-party oversight program (TPO) that consists of the board, a firm-wide committee, an oversight forum and a steering forum. The TPO program aims to ensure third parties “execute to the same high level of performance and conformance to regulations as expected from JPMC operations."
At JPMorgan Chase (JPMC), the vendor lifecycle involves an onboarding process, a "steady state" and then a recertification and exit plan. During the onboarding process, the vendor is identified and assessed, which includes a review of the vendors’ data collection and a risk calculation. When the vendor is onboarded, it’s considered in a “steady state," which includes performance reviews and control assessments. Finally, the disengage process includes data recovery and/or destruction and the removal of physical and logistical access.
The TPO process results in a vendor library of “category risk profiles” and an inventory of “preferred suppliers."
Strickland said it’s important to not only look at the paperwork policies of potential vendors, but to visit them onsite also. She said it's easy to get lost on page 50 of a policy. Seeing it all in practice can bring it into focus.
To create accountability, JPMG names business people as being specifically responsible for managing the relationship with the vendor, which can be an issue because they aren’t necessarily privacy people, Strickland said.
When it comes to final selection, the privacy considerations come down to four main risks: what kind of PI the vendor collects, the volume of the PI, the source of PI and then externally facing vendors with web or mobile apps, because, Strickland said, "not only can do they do brand damage with customers but also cyber attacks."
If you want to comment on this post, you need to login.