Data breaches are an unfortunate side effect of our increasingly connected lives. In 2018, there were more than 6,500 reported breaches, exposing over 5 billion records, according to a year-end report by Risk-Based Security. Among the most significant vulnerabilities, data privacy experts say, are third-party vendors who don’t have adequate securities in place.
During a discussion about building corporate privacy culture at the September 18 Bloomberg Law Leadership Forum, Quyen Truong, a partner at Stroock & Stroock & Lavan, said it’s especially important for a corporation’s business leaders and technical teams to talk to lawyers about data privacy compliance when using outside vendors.
“They realize there’s a lot more they have to unpack, and there’s a two-way flow of information as data gets incorporated into the products of one party, which it then sells to or shares with somebody else,” Truong said. “There’s this whole web that’s out there. You have to figure out how to deal with all of that at the very sophisticated contractual and oversight level.”
In a study released in 2018 by Opus and Ponemon Institute, 61% of American corporations said they experienced a breach from a third-party vendor. Only 37% claim to have adequate resources to monitor and vet those external relationships.
Robert Fowler, director of strategic partnerships at Jordan Lawrence, an Exterro company, pointed to the 2013 Target breach, which compromised the data of 41 million customers.
“The bad guys made their way in through an HVAC vendor and into the point of sales for Target,” he said. “I am sure that as Target was looking at their third parties and thinking about risk, that HVAC vendor was probably not high on their list.”