Third-Party Data Protection: Are Your Vendors Prepared?

Cybersecurity incidents, such as data breaches and ransomware attacks, have become increasingly common in recent years. Threat actors from around the globe continue to target a wide range of industries and organizations of all sizes. The consequences of these incidents can range from operational disruptions and reputational damage to legal action and financial loss. Implementing a robust cybersecurity program that follows industry best practices on data protection can help minimize the impact of these incidents.

However, ensuring your organization is ready to protect against data breaches is only half of the equation – your vendors play an equally important role in safeguarding your sensitive information. By assessing your vendor’s preparedness and implementing data protection best practices into your third-party risk management (TPRM) program, you can identify additional risks and protect your data.

The Importance of Third-Party Data Protection  

When thinking about the importance of third-party data protection, it may help to shift your perspective towards a personal level. Chances are, your own sensitive data is handled by several organizations, such as financial institutions, healthcare providers, and online retailers. You would expect each of these organizations to safeguard your data, even if it’s being accessed or stored by a third party, like a cloud service provider. 

The same principle applies to your organization and protecting your customers’ data. Third-party data protection is your organization’s responsibility to ensure your vendors are prepared to prevent, identify, and respond to incidents that can expose your customers’ data. Integrating third-party data protection practices into your TPRM program can help build and maintain trust with your customers, prevent financial loss, and meet regulatory requirements.

Regulatory Requirements for Third-Party Data Protection 

Many regulators have outlined significant cybersecurity requirements for organizations, including data protection practices. These requirements can extend to third-party data protection in many cases where a vendor has access to sensitive information. These regulations cover many different industries in several countries, highlighting the importance of TPRM and protecting data.

Here is a brief overview of regulatory requirements that pertain to third-party data protection:

• Gramm-Leach-Bliley Act (GLBA) – This requires organizations involved in finance to safeguard the security and confidentiality of their customers’ non-public personal information (NPPI). Per the requirements, organizations should have written data protection policies and practices.
• General Data Protection Regulation (GDPR) – This EU regulation is designed to protect a customer’s data and privacy. Third-party data protection is achieved by establishing a data processing agreement with your vendors and including data breach notification requirements in your contracts.
• Health Insurance Portability and Accountability Act (HIPAA) – The Privacy Rule and Security Rule require organizations to safeguard protected health information (PHI). HIPAA includes third-party data protection practices such as performing risk assessments on business associates and developing contracts to ensure PHI is safeguarded.
• Prudential Standard CPS 234 Information Security (CPS 234) – This regulation from the Australian Prudential Regulation Authority (APRA) aims to keep organizations resilient against cybersecurity incidents. Data that is managed by third parties should be protected through activities like risk assessments, due diligence, and control testing. 
• State privacy laws – California was the first state to enact a data privacy law, which has been amended to the California Privacy Rights Act (CPRA). Many other states have also passed their own laws that protect their citizens’ data privacy. In general, these privacy laws contain language to ensure organizations and their third parties are protecting data from unauthorized use or disclosure. The New York Department of Financial Services (NYDFS) also has a cybersecurity regulation titled NYCRR 500, which requires financial institutions to have certain data protection practices in place. Organizations must report third-party cybersecurity incidents and include vendors in their business continuity and disaster recovery plans.

Are Your Vendors Prepared to Protect Data?    

When performing due diligence on a vendor, you should be sure to identify any potential risks and weaknesses that could leave your organization vulnerable to a data breach. You must ensure the vendor can protect the data from hackers, especially if the vendor has access to sensitive data.

Here are some questions that can help determine the effectiveness of your third party’s data protection practices: 

1. Does the vendor remain updated on changes to regulations and new data protection laws?
2. What controls are in place to protect your customers’ sensitive data?
3. How does the vendor train their staff on cybersecurity best practices?
4. Does the vendor run network and social engineering tests to check how well it can identify common cyberattacks such as phishing emails?
5. What effective incident response plans are in place?
6. How would the vendor handle follow up and resolution to data breaches?
7. What methods are used to protect data in transit and at rest?
8. Does the vendor have policies for data retention, data destruction, and data privacy?
9. Do the vendor’s policies address data in both physical and electronic formats?

Understanding how the vendor would handle an incident may give you a good idea of any risks present and how well the vendor’s procedures and priorities align with those of your organization. New risks and vulnerabilities can emerge at any time, so your organization should continue to review and assess third-party data protection practices throughout the relationship. Additionally, as regulatory guidelines continue to evolve to protect organizations and set strict standards for data protection, it’s important to ensure your organization and your vendors comply, or risk heavy fines.

Best Practices for Third-Party Data Protection   

The initial due diligence process is only the first part of the third-party relationship, and the risks associated with your third party will continue to exist throughout your entire relationship. Just as you’ll regularly assess your vendor’s performance, services, and financial health, for example, it’s also imperative to perform ongoing due diligence to check for cybersecurity measures. 

Here are several suggested best practices for implementing third-party data protection into your third-party risk management strategies:

1. Only share sensitive data with vendors when necessary, and don’t give vendors access to sensitive data when it isn’t required. This is known as the principle of least privilege, which means that no one should access data unless they need it to perform their duties. This key third-party data protection practice ensures your data isn’t at a greater risk of exposure. 
2. Assess the third party’s cybersecurity risks. Before beginning a third-party relationship, your organization will want to ensure the third party has data protection policies and practices in place. During due diligence, it’s important to review the third party’s documentation and assess their data security practices in areas like management, retention, destruction, and encryption. Security testing, incident management, and employee training should also be assessed to determine effectiveness. 
3. Monitor your vendor for any changes in risk and performance. A sudden decline in a vendor’s performance or a rise in vulnerabilities may indicate that their data protection practices are becoming less effective. For example, maybe the vendor’s penetration testing results reveal a month-to-month increase of critical vulnerabilities over the past year. This should initiate a closer look at the vendor’s controls to identify the issues and determine any next steps for the relationship. 
4. Make data protection a priority in third-party contracts. Contracts are one of the best tools to outline third-party data protection requirements. Third-party contracts should include requirements about data breach notifications and the right to audit the vendor’s cyber policies and procedures. You may also want to include security testing requirements and expectations on regulatory compliance. 
5. Maintain the expectations of your organization and stay up to date with updated laws and regulations. Compliance expectations should be clearly communicated with your vendor to ensure you’re both following the same data protection standards. As new data protection laws and regulations are released, it’s still your responsibility to ensure compliance within your organization and any vendors that have access to your data.

To best protect your organization and your customers, you must remain vigilant. By implementing third-party data protection and continuing to monitor your vendors, you will be able to mitigate cybersecurity risks and protect your organization from disastrous data breaches.