Third-Party Security: You Will Be Judged by the Company You Keep

Over the past three decades, I've done work for a wide range of organizations to help them identify the storage locations for all forms of their business information (including customer, client, patient, and employee information). One of the key activities to accomplish this is identifying and documenting all vendors, contractors, business associates, service providers, business partners, and all other types of outsourced entities that possess or have any other type of access to the information.

After doing related vendor assessments for hundreds of organizations, I've found fewer of them than I can count on my fingers that accurately knew and had documented all their outsourced entities. Why? There are a wide range of reasons. Some of the most common I’ve heard include:

• Business units outside of the information security, privacy, and acquisitions areas directly contracted outside entities to do some type of service involving the information and did not notify the central corporate office with this information.
• Some of the outsourced entities were provided with access to information after the relationship was created, and such information possession or access was not initially anticipated.
• Activities were subcontracted by the outsourced entities (sometimes two, three, and even four more subcontracted levels down!) for which the organizations were not aware, giving many more entities access to their information than they ever even knew about.
• Existing outsourced entities were acquired by other organizations, and subsequently a vast amount of additional access was provided to others within that new organization to the organizations' business information beyond what was initially established.
• Contracted entities that did past work for the organizations still had access to their information, even though they were no longer doing work for the organizations.

Not knowing who possesses, or accesses, your information, in any form, is a huge risk, not only to the applicable individuals about whom the information applies, but also to your organization—putting your business at great risk of liability for the mistakes or malicious activities of those mystery third parties.

You cannot outsource your responsibilities

After all these years, I am still hearing way too many organizations state something very similar to: "We outsourced so we wouldn't be liable for the security of the information when it is under the care of the outsourced entity." It simply does not work that way, folks; for many reasons. Here are a couple of high-level reasons.

Reason #1: Laws and regulations establish your responsibilities outsourced activities.

A few of the laws and regulations that contain requirements, either directly or implied, for performing business partner security program reviews, which establish responsibility on your part for you to know who your outsourced entities are to begin with, include:

•  Health Insurance Portability and Accountability Act (HIPAA)
•  EU General Data Protection Regulation (GDPR)
•  US Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC)
•  Gramm Leach Bliley Act (GLBA)
•  Sarbanes Oxley (SOX) Act
•  Federal Trade Commission (FTC) Act
•  Fair and Accurate Credit Transactions Act (FACTA)
•  Internal Revenue Code (IRC) Section 7612
•  U.S. state breach notice laws

And the list could go on for several pages.

Reason #2: Your published policies may obligate your organization to track all contracted entities.

Do you know what your organization's outward-facing (on websites, social media sites, etc.) privacy notice/policy and security policy promise? Do you know what the privacy and security notices that are sent to your customers, employees, patients, and possibly even general consumers say? Do they say something similar to one or more of the following actual policy statements I've seen?

• We restrict access to personal information to employees, contractors, and vendors who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations.
• We do not and will not share your usernames and passwords with anyone.
• We monitor all activities for potential fraud.
• We use the highest commercially available encryption from the point in time we collect your personal information until we no longer need your information for business purposes.

If you are making these promises, then you are expected to ensure that all the contracted entities to whom you entrust the information keep these promises that you made. Your promise follows the information. How many of your contracted entities are complying with the promises you've made to your customers, patients, employees, and consumers? How do you know?

How will you know if your contracted entities have had a breach involving the personal information you've entrusted to them if you don't even know the entities that access or possess that personal information? How will you know if your contracted entities are appropriately protecting information if you don't even know all the entities performing contracted information storage, processing, and other types of access? If you haven't documented all your outsourced entities, then you don't know, and it is likely those many unknown entities are not following your policies; they are breaches and liabilities just waiting to happen.

Bottom line for all organizations, from the largest to the smallest

1. You probably have business associates, business partners, vendors, and other contracted entities that you do not know about.
2. Your Vendor Contract, Business Associate Agreement, or any other type of service contract, may be outdated.
3. You may have contractors, vendors, business associates, brokers, or other types of contracted entities that did past work for you that may still have access to your data, even though they are no longer doing work for you.
4. You need to have a vendor/contracted entity management process in place to be able to track all that have access to your valuable information, and then to ensure their controls fulfill the security and privacy promises you've made, as well as meet your legal information protection obligations.

All organizations need to identify and document all the outsourced and contracted entities that possess or otherwise access their information, in all forms. After identifying them, make sure that they have appropriate controls in place, and then establish an oversight method so you can demonstrate due diligence. Then, in the event they have some type of security incident and/or a privacy breach, you will be able to more efficiently communicate and coordinate with them, you will have documented evidence that you did all you could to ensure all hands secured the information appropriately, and you also will have limited your liability as much as possible.

Additional help for vendor management

Here are some additional items to help you keep track of your own contracted entities (vendors, contractors, business associates, brokers, etc.):

• Sample HIPAA Business Associate Agreement. Based on the example provided from the Department of Health and Human Services, with instructions and guidance included.
• A non-sector-specific general use vendor agreement to use with your contracted entities to help ensure compliance with data protection laws and adherence to strong privacy and security practices.
• Our vendor inventory provides the first step for you to take in effectively managing your third parties. It also is beneficial for improving your existing vendor management activities that do not include a vendor inventory.

This article appeared originally at Privacy and Security Brainiacs.