Nobody does everything all by themselves anymore. Those were among the first words Houghton Mifflin Lead Information Security Privacy Specialist Web Hull, CIPP/G, CIPP/US, said to a room of privacy professionals during an Active Learning session at the IAPP Global Privacy Summit 2019 in Washington.
Hull used those words to kick off a conversation about vendors, specifically third-party vendors that process information on behalf of another organization. Concerns around third parties are not new in privacy; however, Hull posed a different question privacy professions should start to consider: How do you manage the vendors that the vendors have employed?
In the session titled "Fourth-Party Vendor Management: How to Manage Your Vendor's Vendors," Hull sought to offer the best ways to address this issue, while also offering attendees the chance to win some Del's frozen lemonade.
The crux of the session focused on an organization's work with its third parties. Hull said there is no playbook for effective fourth-party vendor management. In order to do it properly, it will take a lot of time, money, resources and attention from management.
The best course of action for privacy professionals is to examine their third-party risk management program and to ensure that those third parties have their own risk management programs for the vendors they hire, Hull said.
When an organization draws up a business associate agreement with a vendor, Hull said, it needs to ensure that all the requirements the organization has for the vendor flow down to the next level of subcontractors. The requirements need to be uniform throughout the chain because a data violation will end up affecting everyone involved.
"If you have a fourth party and you have a breach, you have to tell a regulator," Hull said. This creates a long string of notifications among the vendors, which ends up turning into a mess, he added.
One tactic Hull recommends is to obtain audit rights to examine a third party's risk management program. He said it is an important legal requirement to put into a BAA in order for organizations to ensure those requirements are, in fact, flowing down to fourth parties.
Organizations can also demand to look at contracts for vendors that are perhaps handling data covered by the EU General Data Protection Regulation. Should an entity find an issue in these audits, it can go back and tell the vendors to adjust their contracts accordingly.
Whether the work goes smoothly may depend on the relationship an organization has with its third-party vendors. Hull likened this dynamic to parents and children. A parent may yell at a child to get them to do what they want in the short term, but it will certainly not last.
"Charm is probably your most important skill to have," Hull said. "Charm helps you get the cooperation of others. Part of charm is being a constant educator because you are going to ask people to do things they don’t normally do. Pay attention to what they are doing. Take an interest in them."
Another tactic Hull does not recommend is for an organization to audit fourth parties directly. Fourth-party vendors often have plenty of customers of their own. Hull laid out a hypothetical where the average fourth party had 100 customers, and each of those customers had 100 customers. That would require the original organization to conduct 10,000 assessments and audits. It is a course of action that would cost a lot of money to undertake.
Pieces of regulation already in effect tackle fourth-party management.
Hull cited the GDPR as a noteworthy example. Article 28 of the GDPR states "the processor shall not engage another processor without prior specific or general written authorisation of the controller," as well as a section that states that when a processor enters into an agreement with another processor, it must adhere to the terms of the agreement between the controller and the original processor.
"If you’ve got EU personal data that flows to your processor and they flow it to their subprocessor, you can get the [subprocessors'] names," Hull said. "You can ask them what they do. You can ask them to get someone else. If they add another, they have to tell you. If they change one, they have to tell you."
As with many issues in privacy, fourth-party vendor management will change as the legislative landscape continues to swirl. As the California Consumer Privacy Act and other laws around the world come into effect, Hull said organizations and their legal counsel can use those rules to leverage changes to have their third parties manage subcontractors.
There are stakes for everyone involved, and it's important to get everything in writing because, as Hull said on several occasions, if it is not in the contract, it will be difficult to get it done.