This article part of an ongoing series about establishing program metrics and benchmarking for your privacy incident management program by Radar, a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.

In previous installments of this series, we learned fewer than one in 10 privacy incidents rise to the level of a data breach requiring notification and the value of contractual agreements as effective administrative safeguards. 

At Radar, we are afforded a unique vantage point in which the product allows us visibility into big-picture trends and insights of not just the breaches that are reported, but also the multitude of incidents. And there is a big difference between those two designations. In this installment of the series, we decided to look into an issue that is becoming more widely reported as companies react to recent large-scale data breaches and make preparations for compliance with the GDPR: managing the risk of incidents caused by third-party vendors.

The statistics on third-party breaches vary widely, and it’s clear that organizations have trust issues when it comes to third parties reliably notifying them when an incident or a breach occurs. A report from insurance company Beazley covering the first six months of 2017 indicates that accidental breaches caused by employee error or data breached while controlled by third party suppliers account for 30 percent of breaches overall. A survey by Soha Systems places the percentage of all data breaches linked directly or indirectly to third-party access at 63 percent. And yet another study, sponsored by BuckleySandler and Treliant Risk Advisors from the Ponemon Institute, indicates a lack of trust in third-party vendors to reliably notify your organization of a breach: 37 percent of respondents didn’t believe vendors would notify them of a data breach, and when that vendor is further removed (a fourth-party vendor or greater), that number grows to 73 percent.

While data around third-party breaches is a significant part of the story, understanding third-party incident data and how it fits is a critical aspect of seeing the big picture. Therefore, we decided to explore third-party-related incidents and related breach determinations by focusing on data controllers/covered entities, their rate of reporting incidents as breaches, and whether the source of an incident (caused internally versus externally to the entity) had any significance.

Data-driven insights about third-party sourced incidents

Diving into aggregated and anonymized metadata from Radar, we analyzed a sample set of 10,000 incidents from the past year. We limited our sample to only include incidents where the role of the entity was a covered entity (or controller) or the entity had dual roles as both a covered entity and a service provider. 

What we found was surprising. The vast majority of incidents tracked and documented by covered entities were internally sourced: 88.4 percent of all incidents, while only 11.6 percent of incidents tracked within the sample data set, were sourced from external third parties. Since industry reports indicate that third-party entities are causing a significant portion of reported breaches, it would stand to reason that the overwhelming majority of incidents would be externally sourced, as well.

Next, we decided to dig deeper into distinguishing insights about the two categories of reported incidents as they relate to breaches. Again, we were surprised to discover upon further analysis that the covered entities performing incident risk assessments categorize incidents as breaches at very similar rates in both incident categories. Nineteen percent of externally sourced incidents are categorized as breaches, while 20.6 percent of internally sourced incidents are categorized as breaches.

On closer look, we discovered that while these rates are relatively close, they diverge significantly when it comes to entities choosing to voluntarily report externally sourced incidents (7.3 percent) over internally sourced incidents (1.2 percent). Voluntary notice may be given based on an entity’s culture of compliance when an incident risk assessment does not cross the risk of harm threshold or meets regulatory exceptions. 

This means that covered entities are six times more likely to voluntarily notify affected individuals when the incident is externally sourced and attributed to a third party.

Lessons learned

What lessons can be learned from this exercise to take back to your privacy program?

First, it is important to be able to see all incidents in a single dashboard, to be able to easily drill down into the data to learn where the incidents are coming from, how often incidents escalate to a breach, and if there any anomalies in your trends. These are all good questions your privacy program should be able to answer.

Another lesson is that it’s critical to understand your business relationships, including which vendors may be using what data, and how. Having clear, established contractual obligations to notify one another of unauthorized disclosure of personal data is critical. It’s also important to have systems in place to be able to track these contractual obligations and their notification triggers and deadlines.

Finally, a word to third-party vendors: The fact that your business partners may voluntarily notify of a data breach when the fault was within your systems should serve as a warning to practice good data stewardship. It is in everyone’s best interest that all parties involved establish and maintain good privacy practices and build strong relationships with trusted partners.

About the data used in this series: Radar ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use, and customer agreements. The information extracted from the platform for purposes of statistical analysis is not identifiable to any customer or data subject.

photo credit: Visual Content Data Breach via photopin (license)