Facebook makes the news every now and then, but the recent Facebook/Cambridge Analytica scandal is a train wreck you can (and should) learn from when it comes to managing vendor relationships. Outsourcing may be a valuable and necessary part of business operations, but managing vendor risk needs to be a foundational piece of your organization’s cybersecurity program.
At the heart of the recent scandal is a third party gone rogue. According to Facebook, an authorized app developer legitimately accessed Facebook users’ information but acted without authorization when sharing that data with Cambridge Analytica. Now, Facebook faces significant legal and regulatory fallout thanks to a third party.
Vendors are a Risk!
Other companies face similar consequences when they fail to properly implement security measures for third-party vendors. Recently, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced a settlement with a physician group over allegations that it failed to protect the privacy of more than 1,650 patients whose medical records were made public on the internet as a result of a server misconfiguration by a private vendor. The Division of Consumer Affairs alleged that the physician group failed to conduct a thorough risk analysis of the confidentiality of health information it sent to a third-party vendor and failed to implement security measures to reduce that risk.
Even though the breach was caused by a vendor, the data belonged to the physician group, and it was required to protect it. According to Sharon M. Joyce, Acting Director of the Division of Consumer Affairs, “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.” [emphasis added]
The physician group paid over $400,000 for their vendor’s mistake.
Tips for Reducing Vendor Risk
- Develop a vendor management program that classifies vendors based on the risk they present. It should include procedures for selecting, maintaining, and terminating vendors, and guidelines for making an employee (or several) responsible for vendor management.
- Do your research. Require vendors to complete detailed questionnaires about their security practices before hiring them. Ask them to provide a recent security review as well as a report that lists their security controls. Reputable vendors will already have these because other companies will have asked for them. If vendors don’t have them or complain about the request, don’t hire them.
- Include important contractual clauses in vendor contracts, such as suspected breach notification, indemnification clauses, rights to audit, and subcontractor provisions.
- Adhere to data minimization principles. If vendors don’t need the information, don’t let them have access to it.
- Periodically audit your vendors. A contract review is not enough. If you think a vendor is not complying with a contract, follow up immediately!
- Check your cyber insurance. Does your policy extend to your vendors? Are you considered a vendor to others and, if so, how does your policy address that? Review your coverage!
Vendor management is essential, and companies will be held responsible not only for their own security, but their vendors’ security as well.
To learn more about vendor management and how to build an effective vendor management program in your organization, please contact our privacy and security professionals at firstname.lastname@example.org.