In doing due diligence with your business’ security policies, it’s extremely important to make sure you understand every possible risk to your customers’ data. Here are 3 things you need to know about third-party security risks.
Third-Party Security Risks
1. Your business is on the hook for third-party data breaches
Despite whatever policies you may have laid out, your business is still on the hook for third-party vendors in the event of a data breach. As Bob Johnson, the CEO of NAID notes:
- “The data controller may, and often does, assign financial responsibility to the downstream vendors for financial damages they cause. However, they cannot pass on the responsibility. For example, if service provider causes a data breach notification event, their only responsibility under the law is to inform the data controller. The data controller is responsible for making and paying for the actual breach notification.”
The only way of avoiding such responsibility is having very clear security policies laid out; policies are starting to change regarding liability in data breaches (shifting some of the responsibility to the vendors themselves), but it is absolutely in your company’s best interest to make sure you have everything properly laid out.
2. Third-party vendors account for a high percentage of data breaches
A Ponemon institute study of roughly 60,000 IT employees in 2011 found that third-party vendors accounted for:
- Roughly 19% of all data breaches, which is second only to;
- Negligent insiders (34%), though still much higher than things like;
- Cyber attacks (7%);
- Failure to shred confidential documents (6%), and
- Data lost in physical delivery (5%).
If we’re to take another Ponemon study from 2011 about the average cost of a data breach over seven years, we’d find that, over that time period, this 19% accounted for by third-party vendors would add up to almost $1.05 million in damages.
The statistics within the health care industry are even more staggering:
- From 2009 to 2012, the Department of Health Services reported that roughly 57% of all data breaches in the health care industry could be traced back to third-party vendors.
Whichever way you look at it, it’s clear that selecting responsible vendors and having clear data security policies laid out is extremely important.
3. It is illegal to select a third-party vendor without doing due diligence
It’s not just irresponsible to select a third-party vendor without doing due diligence—it’s actually illegal. Bob Johnson further mentions a couple points in his article from above:
- The laws make it illegal to select a vendor without doing proper due diligence
- It’s not likely that a business will be evaluated for this except in a data breach, but it’s still wise to do so to cover your bases
Making sure to do due diligence in selecting vendors now will save a lot of headaches (and potentially liability) down the road.
What’s next?
Third-party vendors can be a huge risk if not managed correctly. Contact DataShield to make sure your business is doing everything it can to mitigate security risks in working with third-party vendors. DataShield has years of experience working with companies throughout Nebraska and Iowa by helping them with paper shredding, records management, electronic recycling, and data destruction.
