In this, the eighth installment in this series on managing an effective vendor-management program, we look at breaches. In keeping with our planetary theme, this chapter is named after the last planet in our solar system, Uranus--and it seemed fitting for breaches. Sometimes a breach is the last thing we expect to see, but nevertheless, they are there. It is most often not a case of if there is a breach but what to do when that breach occurs.
Data Breaches in the News
The Ponemon Institute named 2014 the year of mega breaches. Also, the Association of Corporate Counsel's recent chief legal officer (CLO) survey revealed that 27 percent of CLOs reported experiencing a breach in the past two years. Methinks that number is too low.
Vendors are behind many of the well-known recent breaches, such as Target (credentials stolen from a vendor); Lowe’s (vendor backed up data to unsecured data server); Home Depot (stolen vendor credentials), and Goodwill (vendor systems attacked by malware). The 2013 Trustwave global security report states that 63 percent of the 450 data breaches studied were linked to a third-party component of IT system administration. And Ponemon attributes 20 percent of breaches to improper vetting of vendors.
The cost of breaches is high in impact to business, costs to mitigate and consumer trust. TRUSTe’s Privacy Index, 2015 Consumer Confidence Edition reveals that 91 percent of consumers avoid doing business with companies they don’t think protect consumers’ information online. Although there is debate that the cost of breaches, as reported by Ponemon, ranges between $750,000 to $35 million, and that is barely a blip to large corporations; there are three critical factors at work in calculating the true cost of a breach: the damage to the brand and/or the lost trust, the consideration that $35 million is not minor to all companies and the potential lawsuits and regulatory actions following breaches.
On January 12, The Wall Street Journal noted that the number of cyber “incidents” reported to the Department of Homeland Security more than doubled between 2009 and 2013, with 228,700 cyber incidents reported in 2013. Between the rise in online business transactions and big-data tracking, organizations must ensure the secure and legal collection and storage of client and customer financial, demographic and transactional data. Yet just one in three companies have data breach protection insurance, and despite aggressive detection and awareness, the cost per stolen record rose by nine percentage points over the past year, according to Ponemon.
The healthcare industry had a markedly high percentage of data breaches within the past two years. It also has the highest per capita cost by industry, and breaches will continue to increase as technological advances are made in managing health, monitoring care and storing employee health records, Experian reported this year. In addition, almost 50 percent of healthcare CLOs reported experiencing a data breach over the past two years, compared with a quarter of CLOs in other industries. Considering the introduction of strict regulations in place to safeguard protected health information over the past two decades, CLOs in the healthcare industry face a substantial challenge as health systems continue to expand the implementation of electronic health records.
With the incredible amount of information available on data breaches and their resulting costs, this post is not intended to rehash that news but rather to bring awareness of the relationship of breaches to your vendor-management program and how to mitigate that risk.
How To Mitigate the Risk of Data Breaches Through Vendors
This is the holy grail of issues. In part, because actions are all-inclusive and no solution is perfect. Debate rages on whether Target even could have taken steps to prevent their breach. So why bother? Because companies are responsible for protecting the personal data in their possession. Expectations and liabilities are based on responsible and reasonable; reckless and negligent will land a business in much more trouble and carry a tremendously higher risk than will doing the right thing based on the size and scope of your business, the types of data in your possession—outsourced to a vendor or not—and state of the available technology.
The first step to mitigate the risk of data breaches through vendors is to have an effective vendor-management program. That is the goal of such a program—to ensure that one’s vendors are doing their jobs correctly—understanding that one can delegate responsibility but not accountability.
Prepare for a Breach.
You are more likely to experience a breach as a company than you are to break into the Fortune 1000. Don’t check my statistics; they’re fuzzy. And if you’re in the Fortune 1000, you are more likely if only because you hold more data, gain more enemies and are more in the public eye. Yet companies prepare for profit rather than for disaster.
- Build a breach response team and plan. Test them. Include your vendors in your tests. Make sure your vendors plan and test as well. Have outside expertise on that plan. Build in coverage for when members of the team cannot be reached. Breaches rarely happen at the optimum time. Get cyber-liability insurance. Read it. Update it. Make sure it is good, and have someone experienced in managing breaches review the coverage. Make sure your vendors have cyber-liability coverage. Get a copy of the policy.
- Check internal policies and practices to ensure employees know what to do with any report of a breach. Knowing whether data has been accessed and/or lost is an IT/tech call. Knowing whether that access and/or loss qualifies as a breach and when certain entities need to know is a legal decision. Make sure the teams talk. Get a copy of your vendors' policies. Vendors do not always want to provide copies, so just like we discussed in due diligence in Chapter Three, rank your vendors on a risk-based scale and at least get the policies on those who handle the most critical data.
Prevent Breaches, Especially the Catastrophic Ones
- Use data loss/leak tools. Encryption is not everything, but it’s a start.Have a frank conversation with your vendors about their breach philosophy, their protective measures and how they manage incursions.
- Educate, educate, educate. True privacy and security knowledge does not come once a year in a three-hour session. It happens through frequent and consistent awareness, discussion and training. Unfortunately, it also usually happens in a breach scenario. Don’t forget good ol’ everyday paper breaches. Don’t forget good ol’ everyday human error and stupidity. Check your vendors’ education plans. Get a copy of some of their education programs. Ask for validation of training.
- Invest in the right personnel in the right quantities, and give them the authority to act. Privacy officer/counsel. Information security officer. Compliance officer. Ask your vendors for the names and contacts of the critical personnel in these areas. Ask for job descriptions. Talk to the people in those positions.
Minimize Potential Damage from Breaches
- Get rid of data you don’t need, and don’t pass it to vendors. Don’t let vendors collect it. Build or improve your data retention policy and actually purge data. Your internal emails should not wind up costing you business or loyalty. Only collect the data you need to do business, and try not to collect data that is “risky;" i.e., Social Security numbers, credit card numbers, etc. Scour your systems. Purge. Challenge the notion that “it’s always been done this way, why change?” Own the IP from data. Do not let vendors use it. Even de-identified, it can come back to haunt you.
When a Breach Happens, Do the Right Thing
- Make sure if it happens through a vendor, that they work with you to manage this. In the contracting chapter, we discussed ensuring that there were no limitations of liability for breaches of confidential information. The costs, as we’ve seen, can be astronomical.It is difficult to run an effective vendor-management program. It takes dedication, time, effort, personnel and focus to run these programs, and nothing is perfect. It would be nice to have a vendor clearinghouse that provides these interfaces in a streamlined fashion so companies can focus on business needs assured that due diligence needs are managed. But until that time, prioritize your vendors on a risk-based approach.
Breaches will happen. If it happens through a vendor, have a partner you can rely upon and not an adversary or an unknown. Just like you know your marketing forecasts and profit margin, know your vendor landscape. You may not know all your vendors, but know your risk environment.
Miss the first seven installments of this series? You can find them here, at the IAPP's Resource Center.
If you want to comment on this post, you need to login.