Third-Party Vendors Are an Overlooked Data Breach Risk

October 16, 2019
Third-Party Vendors Are an Overlooked Data Breach Risk

Data breaches are an unfortunate side effect of our increasingly connected lives. In 2018, there were more than 6,500 reported breaches, exposing over 5 billion records, according to a year-end report by Risk-Based Security. Among the most significant vulnerabilities, data privacy experts say, are third-party vendors who don’t have adequate securities in place.

During a discussion about building corporate privacy culture at the September 18 Bloomberg Law Leadership Forum, Quyen Truong, a partner at Stroock & Stroock & Lavan, said it’s especially important for a corporation’s business leaders and technical teams to talk to lawyers about data privacy compliance when using outside vendors.

“They realize there’s a lot more they have to unpack, and there’s a two-way flow of information as data gets incorporated into the products of one party, which it then sells to or shares with somebody else,” Truong said. “There’s this whole web that’s out there. You have to figure out how to deal with all of that at the very sophisticated contractual and oversight level.”

In a study released in 2018 by Opus and Ponemon Institute, 61% of American corporations said they experienced a breach from a third-party vendor. Only 37% claim to have adequate resources to monitor and vet those external relationships.

Robert Fowler, director of strategic partnerships at Jordan Lawrence, an Exterro company, pointed to the 2013 Target breach, which compromised the data of 41 million customers.

“The bad guys made their way in through an HVAC vendor and into the point of sales for Target,” he said. “I am sure that as Target was looking at their third parties and thinking about risk, that HVAC vendor was probably not high on their list.”

Bloomberg Law Leadership Forum DC on September 18, 2019.

Suresh Chawdhary, head of health, safety, security, and privacy at Nokia, agreed. It’s not only the company that needs to have airtight data protections but “also the ecosystem – vendors, suppliers, third parties, contractors, organizations all need to take that responsibility.”

The experts also emphasized that data privacy concerns need to be top of mind from the very beginning of projects and should never be an afterthought.

“You have to integrate it into how you run the business, so every time that you’re going to launch a new product or a significant relationship, people will automatically address these cyber concerns,” Truong said.

As general awareness about the importance of security and data protection grows, consumers’ increasing demands for data privacy are driving the conversation and encouraging companies to make positive adjustments and politicians to consider data privacy legislation.

“When you are a customer, you may not realize it, but you have the ability to really change the behavior of the company,” said Kristen Budris, commercial counsel at Proofpoint, Inc. Thanks to more informed customers, “Those conversations have evolved so much. It drives the behavior of everybody when customers are asking for that.”

Related Content: