Mon, Apr 12, 2021

Five Considerations on Service Providers' Privacy and Security

Understanding who you share data with and how they will utilize and protect it has never been more critical. Privacy and security continue to be a top priority for regulators around the world and organizations are advised to stay abreast and take appropriate measures to comply. There is growing awareness that the weakest link may be organizations’ service providers (or vendors) that have access to their environment, and may be collecting, processing and storing protected personal information on organizations’ behalf. Due to COVID-19 and other macro-economic trends, the number of service providers utilized by organizations continues to grow. Below are key considerations when considering privacy, security and your service providers.

Privacy and Security Risks Are a Growing Concern in Organizations’ Service Provider Management Program

Privacy and security concerns are considered top priority in an organization’s service provider risk management program. According to Kroll’s 2019/20 Global Fraud and Risk Report 73% of executives identified reputational damages caused by third parties as a risk priority and nearly 30% reported that third-party incidents significantly affected their organization in the last year.1  

Privacy regulators are requiring more action by companies when it comes to their service providers. Both the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA) make it clear that an organization is fully responsible for the service providers within their supply chains and the onus is on those organizations to ensure compliance.2 Many companies don’t appreciate the significance of this mandate and have taken little to no steps to ensure their compliance and minimized this risk.

Cyber Security of Your Service Providers Must Be Addressed Under Many Regulations

Cyber security regulators, such as the New York State Department of Financial Services, SEC, CFTC and HIPAA specifically require organizations to have a program that mandates service providers meet specific security controls. This challenge, which increases exponentially for each service provider that has access to protected personal information under an organization’s control, requires a certain level of expertise beyond what many internal IT departments can handle. Identifying, validating and analyzing service providers’ cyber security posture is no longer a luxury, but a necessity.

Privacy Focused Regulations Are Also Sounding the Alarm

An effective privacy program cannot exist without information security. While many privacy regulations do not require specific technical security controls, they require organizations to implement and maintain “reasonable” security measures to protect against foreseeable risk and ensure service providers that handle protected personal information meet them as well. May U.S. states and countries around the world have begun considering laws like GDPR and CCPA and adopting similar language, increasing the need for organizations to act.

Failure Has a Real Cost and Is Expensive

Fines for violating privacy regulations are increasing. In a 12-month period, European regulators issued over $190 million in fines to companies who have violated GDPR.3 Some of these fines have been issued in part due to the failure of the service provider, such as in the case of Ticketmaster when a third-party application was given access to protected data.4

The above list is not exhaustive. But it is a good starting point. Organizations are advised to conduct a thorough service provider risk assessment to identify and classify their service providers according to the security and privacy risks they pose to the organization and take real and concrete steps to minimize these risks. We predict that the regulatory interest in privacy and information security will not subside any time soon and the changes for organizations will only continue to grow.

Sources
1https://www.kroll.com/en/insights/publications/global-fraud-and-risk-report-2019
2https://www.law.com/legaltechnews/2021/01/21/ccpa-service provider-management-potential-gaps-in-your-privacy-compliance-strategy/
3https://www.bankinfosecurity.com/privacy-fines-total-gdpr-sanctions-reach-331-million-a-15790
4https://www.forbes.com/sites/carlypage/2020/11/13/ticketmaster-hit-with-125-million-gdpr-fine-over-2018-data-breach/?sh=181caf124455



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.


Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.


Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.