Bloomberg Law Leadership Forum D.C. on September 18, 2019.

Third-Party Vendors Are an Overlooked Data Breach Risk

Data breaches are an unfortunate side effect of our increasingly connected lives. In 2018, there were more than 6,500 reported breaches, exposing over 5 billion records, according to a year-end report by Risk-Based Security. Among the most significant vulnerabilities, data privacy experts say, are third-party vendors who don’t have adequate securities in place.

During a discussion about building corporate privacy culture at the September 18 Bloomberg Law Leadership Forum, Quyen Truong, a partner at Stroock & Stroock & Lavan, said it’s especially important for a corporation’s business leaders and technical teams to talk to lawyers about data privacy compliance when using outside vendors.

“They realize there’s a lot more they have to unpack, and there’s a two-way flow of information as data gets incorporated into the products of one party, which it then sells to or shares with somebody else,” Truong said. “There’s this whole web that’s out there. You have to figure out how to deal with all of that at the very sophisticated contractual and oversight level.”

In a study released in 2018 by Opus and Ponemon Institute, 61% of American corporations said they experienced a breach from a third-party vendor. Only 37% claim to have adequate resources to monitor and vet those external relationships.

Robert Fowler, director of strategic partnerships at Jordan Lawrence, an Exterro company, pointed to the 2013 Target breach, which compromised the data of 41 million customers.

“The bad guys made their way in through an HVAC vendor and into the point of sales for Target,” he said. “I am sure that as Target was looking at their third parties and thinking about risk, that HVAC vendor was probably not high on their list.”

Bloomberg Law Leadership Forum D.C. on September 18, 2019.


Suresh Chawdhary, head of health, safety, security, and privacy at Nokia, agreed. It’s not only the company that needs to have airtight data protections but “also the ecosystem – vendors, suppliers, third parties, contractors, organizations all need to take that responsibility.”

The experts also emphasized that data privacy concerns need to be top of mind from the very beginning of projects and should never be an afterthought.

“You have to integrate it into how you run the business, so every time that you’re going to launch a new product or a significant relationship, people will automatically address these cyber concerns,” Truong said.

As general awareness about the importance of security and data protection grows, consumers’ increasing demands for data privacy are driving the conversation and encouraging companies to make positive adjustments and politicians to consider data privacy legislation.

“When you are a customer, you may not realize it, but you have the ability to really change the behavior of the company,” said Kristen Budris, commercial counsel at Proofpoint, Inc. Thanks to more informed customers, “Those conversations have evolved so much. It drives the behavior of everybody when customers are asking for that.”

Related Content:

Rep. Greg Walden Pushes for Federal Data Privacy Bill

The Oregon congressman emphasized the need to protect the innovative spirit at the core of internet and tech companies that would be most impacted by such a law.

Regulation and Legislation Lag Behind Constantly Evolving Technology

Authorities are finding it increasingly difficult to address data misuse, due in part to a lack of clear regulations.

Privacy Rules Are Key to Building Trust

After a series of high-profile data breaches at major companies such as Facebook and Capital One, organizations are overhauling privacy policies while working to regain consumers’ trust.

Data Breach: Keeping Executives Up at Night

Bloomberg Law’s Regulatory & Compliance team discusses the need for implementing an agile framework that takes into account the ever-changing terrain of the privacy and data security landscape.

Top