The role of the third party is evolving.
It doesn’t matter what type of organization you are: third parties impact the security of your organization. Sometimes third parties do a stellar job at security. Other times, they fail miserably. According to the Ponemon Institute, 65% of companies that reported sharing customer data with a partner also reported a subsequent breach through that partner.
Third parties are one of the greatest threat agents to your data, and most organizations don’t know how (or if) third parties protect their data.
That’s why you must be hyper-vigilant with every third party that could impact the security of your sensitive data, whether patient information or credit card data.
If you don’t already have a list of third parties, make one. To jumpstart your list, here are some of the most-forgotten third parties that handle sensitive data:
Remember, if you don’t even know who is handling your data, how can you protect it?
Now that we understand who is handling the data, how can you make sure your third parties take care of it?
Understanding third parties is really about understanding your scope. Scope is merely defining exactly who handles your data, how it’s handled/maintained, and where it travels throughout its lifecycle. If you have all these processes documented, you should already know exactly who your third parties are, and how your third parties handle your data.
Every organization should be a professional skeptic about its third parties. The best way to understand if your third party vendor is protecting your data is to ask them. If you fail to ask, you’ve already failed security 101.
Here are a few examples:
So much of data security is mandated through strict regulations like the PCI DSS and HIPAA. Let’s go over some HIPAA-specific and PCI DSS-specific regulations regarding third parties. If you handle credit card data at all, pay attention to PCI DSS. If you handle patient data, pay attention to HIPAA regulations regarding third parties.
Healthcare entities often believe their business associate agreements cover them in case of a breach. Unfortunately, that’s not accurate.
HIPAA Omnibus ruling states that even if a business associate (third party) has never signed a business associate agreement, they may still be held liable. This also means the covered entity carries liability as well.
It’s common for third-party vendors to not fully realize they are part of HIPAA regulations, as they may not actually view healthcare data. That’s why now is a good time to educate your third-party vendors and determine the risk they pose to you and your data. If they are unwilling to sign a BAA, it may be advisable to seek vendors that will treat your data more securely and are contractually willing to secure it.
The PCI Council recently clarified that they are not big fans of businesses pointing fingers at their third parties, and vice versa.
In PCI version 3.1, requirement 12.9 states that service providers are required to acknowledge to customers (in writing) that they are responsible for the security of the cardholder data the service provider possesses, stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
See also: SecurityMetrics PCI Guide
Most of the big service providers out there (like Microsoft, Norton, etc.) have already published their responsibility statements to comply with this new PCI DSS requirement. But, it’s not enough just to draw up a contract of who is responsible for what. Merchants must actually implement the security measures they’re in charge of, and the same goes for third parties.
Understand that if you get breached because your third party didn’t configure your firewall correctly, you are STILL responsible for that data breach. Why? As part of the PCI DSS, you are responsible for verifying your service provider is actually acting on their responsibilities.
When dealing with sensitive data, it’s not just PCI DSS and HIPAA you have to worry about. If your data is sent across country borders (to Canada, to the UK, etc.), regulations regarding your data may change.
For example, as your data moves from one cloud in the U.S to another in Canada, are you aware of and following Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)? Do those requirements even apply to you? This is probably something you want to be aware of. The location of your data and the hosting organization should always be considered.
Additionally, if your data is developed in one country (like the UK), then transmitted through another (not the U.S.) and then ends up being stored in a third location, you may be subject to three separate legal systems.
It is always advisable to consider third parties and the mandates, legal ramifications, and the potential for someone else to gain jurisdiction over your data as it has crossed into a different country.
If you have sensitive data crossing trans-border, discuss the potential issues with your legal counsel.
Every service provider should provide you with their Attestation of Compliance (AOC) with the PCI DSS. Some are public (like Microsoft), while others (like Amazon Web Services) require a non-disclosure agreement before sending it to you. These attestations of compliance are extremely helpful when choosing and evaluating third parties, even for organizations that don’t deal with PCI DSS.
One thing many organizations fail to understand is that an AOC provided to you may not cover the services you use with your third party. For instance, you may be engaging your third party for infrastructure and networking, but their AOC says they are actually only compliant with ‘storage’ and ‘web’ services. As I mentioned before, it is important to be a professional skeptic, especially when your third party says they are compliant (they may be, but it’s best to double check it and be safe).
More often than not, larger vendors tend to do a better job at their attestation of compliance. They’re more diligent in their efforts because they have a lot more eyes on them. That isn’t to say they are always the most secure choice. In fact, plenty of large third parties have been the cause of recent large data breaches in the news.
In this post, we’ve discussed:
Yes, it’s a big job to hold third parties responsible, but you don’t have to do it alone. There are security companies out there who audit third-party vendors to make sure that their service/product is actually protecting your data.
The role of the third party is evolving. The way we share/transmit and protect data will always change. But what will never change are risks, threats, and vulnerabilities. They will always be around, especially if not addressed. That’s why it’s crucial to get your stakeholders together and decide whether you think the risks your third parties pose are worth it, or if it’s time to find some new, more secure third-party vendors.
.svg)
